dridex | acb6b390306be1fe78e2453843386ac52bf9599741957edd013e9c5ea276e467

General

Target

dc2d104b67fcae0ddd6dc0e18b8faaeb_JaffaCakes118.dll
Size

1.2MB
MD5

dc2d104b67fcae0ddd6dc0e18b8faaeb
SHA1

7e2e76bdcd59fa3a06550be0cf8765368cb1c3ad
SHA256

acb6b390306be1fe78e2453843386ac52bf9599741957edd013e9c5ea276e467
SHA512

d61af34102337e7e34f663471c0b8d97887fc275921ef23465cfc105ac1288087ef2e7908b2d3382b1a3564bdd1e0f37f542cc415824f6b5107999a2cfaf5cd8
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3492-4-0x0000000007F40000-0x0000000007F41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

GamePanel.exeWindowsActionDialog.exewextract.exe

pid process

3556 GamePanel.exe
2400 WindowsActionDialog.exe
5112 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

GamePanel.exeWindowsActionDialog.exewextract.exe

pid process

3556 GamePanel.exe
2400 WindowsActionDialog.exe
5112 wextract.exe

pid	process
3556	GamePanel.exe
2400	WindowsActionDialog.exe
5112	wextract.exe

pid	process
3556	GamePanel.exe
2400	WindowsActionDialog.exe
5112	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\1ddo1\\WindowsActionDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeGamePanel.exeWindowsActionDialog.exewextract.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2172	rundll32.exe
2172	rundll32.exe
2172	rundll32.exe
2172	rundll32.exe
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3492
3492
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3492

pid	process
3492
3492

pid	process
3492

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3492 wrote to memory of 2152	3492	GamePanel.exe
PID 3492 wrote to memory of 2152	3492	GamePanel.exe
PID 3492 wrote to memory of 3556	3492	GamePanel.exe
PID 3492 wrote to memory of 3556	3492	GamePanel.exe
PID 3492 wrote to memory of 3564	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 3564	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 2400	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 2400	3492	WindowsActionDialog.exe
PID 3492 wrote to memory of 4336	3492	wextract.exe
PID 3492 wrote to memory of 4336	3492	wextract.exe
PID 3492 wrote to memory of 5112	3492	wextract.exe
PID 3492 wrote to memory of 5112	3492	wextract.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc2d104b67fcae0ddd6dc0e18b8faaeb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
1⤵
PID:2152

C:\Users\Admin\AppData\Local\pVhB\GamePanel.exe
C:\Users\Admin\AppData\Local\pVhB\GamePanel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3556

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:3564

C:\Users\Admin\AppData\Local\qmzZtx\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\qmzZtx\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2400

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:4336

C:\Users\Admin\AppData\Local\mu7\wextract.exe
C:\Users\Admin\AppData\Local\mu7\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mu7\VERSION.dll

Filesize
1.2MB

MD5
80ab9571916942ff7fb0394e37fca1bb

SHA1
8d5089c6a1d63301bc6c32947b19b08d7d3bb3d7

SHA256
a621638232feaf7b54e4f1c9a0c84b7fee912a2fb0c98b5cb84ba199e7cbf9ac

SHA512
2c2ced4abd6c79511dccb67f3c60865535fdd9552a7802736d3222dff19bc2013ab651ff843b6e3bcb4cb3eda5bb303d4963ccda04c1db5af3673d17bc85fdff

Download Submit
C:\Users\Admin\AppData\Local\mu7\wextract.exe

Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Local\pVhB\GamePanel.exe

Filesize
1.2MB

MD5
266f6a62c16f6a889218800762b137be

SHA1
31b9bd85a37bf0cbb38a1c30147b83671458fa72

SHA256
71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

SHA512
b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

Download Submit
C:\Users\Admin\AppData\Local\pVhB\dwmapi.dll

Filesize
1.2MB

MD5
ae71b3f9255a904f4868aa46ea0c5f4c

SHA1
224f205adca8ff2d6bc6669e187bfa2c3ab1e1c5

SHA256
1f4b62979296e2f8d54ed15870830e49dccc72a88ba530819960d16d220a5c4a

SHA512
01a59bbd91a4a5a9214fb4ac00796048da33dd822e01cd2469d0137de76f4376b85e5c18cdd9ffc4fef021ef6496667d980f829badc393bf5b4c8251da608b94

Download Submit
C:\Users\Admin\AppData\Local\qmzZtx\DUI70.dll

Filesize
1.4MB

MD5
d6ecf59aeb1965a7007d8a994fc9f770

SHA1
0a9585f1fcd8141bfa6b08d06f0a996c2cefbd52

SHA256
bd63a9fa45c1c676e507e475e409657833b2a98ebf7043cc9608fea011772e2c

SHA512
62b7ee375a45dc50a77d638e5a2f7f44469f07fa2cadf0d2185508af3f8e63388a6c2b49c49ecea10c00e7c2fd913ea50514f158ae7b375208b01a4e837b8895

Download Submit
C:\Users\Admin\AppData\Local\qmzZtx\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
998B

MD5
7c5521a4a874a178a335d26b29187812

SHA1
a81249fcc9efab1512f8b4b515da5c9ce3a8477c

SHA256
0e190369fb3e4f72679966bc80d03fb38d69fa0602c15996fd9605ca1b04fa18

SHA512
1ae2bdad757c0796ac83a6aac738890cc63757ccc9d37c10938b1777da9aabe529649ed175a5a32d3e1d253180f5972429bdc146d45fa2d48107559968ad1b7a

Download Submit
memory/2172-0-0x000001EF2AC10000-0x000001EF2AC17000-memory.dmp

Filesize
28KB

Download
memory/2172-39-0x00007FFDFAE10000-0x00007FFDFAF42000-memory.dmp

Filesize
1.2MB

Download
memory/2172-1-0x00007FFDFAE10000-0x00007FFDFAF42000-memory.dmp

Filesize
1.2MB

Download
memory/2400-63-0x000001427D5B0000-0x000001427D5B7000-memory.dmp

Filesize
28KB

Download
memory/2400-64-0x00007FFDEBC00000-0x00007FFDEBD78000-memory.dmp

Filesize
1.5MB

Download
memory/2400-69-0x00007FFDEBC00000-0x00007FFDEBD78000-memory.dmp

Filesize
1.5MB

Download
memory/3492-17-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-4-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/3492-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-6-0x00007FFE082BA000-0x00007FFE082BB000-memory.dmp

Filesize
4KB

Download
memory/3492-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-36-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3492-29-0x0000000007F00000-0x0000000007F07000-memory.dmp

Filesize
28KB

Download
memory/3492-30-0x00007FFE095D0000-0x00007FFE095E0000-memory.dmp

Filesize
64KB

Download
memory/3556-46-0x000001B2BFCF0000-0x000001B2BFCF7000-memory.dmp

Filesize
28KB

Download
memory/3556-47-0x00007FFDEBBA0000-0x00007FFDEBCD3000-memory.dmp

Filesize
1.2MB

Download
memory/3556-52-0x00007FFDEBBA0000-0x00007FFDEBCD3000-memory.dmp

Filesize
1.2MB

Download
memory/5112-85-0x00007FFDEBC40000-0x00007FFDEBD73000-memory.dmp

Filesize
1.2MB

Download
memory/5112-80-0x00007FFDEBC40000-0x00007FFDEBD73000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads