dridex | c4a179d204f7bb7c4f82d2c0878c3f5cb9ca17fb519dd3b7447e4c3c5b327019

General

Target

f215b4fabb14768f115195da3c9dad3a_JaffaCakes118.dll
Size

1.2MB
MD5

f215b4fabb14768f115195da3c9dad3a
SHA1

8977086bad5f310504bf0c61f36f096f2cb7644b
SHA256

c4a179d204f7bb7c4f82d2c0878c3f5cb9ca17fb519dd3b7447e4c3c5b327019
SHA512

d88438ee561f9d21017f2099b915cf4b5fd4f03b58bf8b139b721b558f41f061b923e564c5fbb9570c5c1337b986810df91de4a7bb2b7dc160c5c5f6022681ca
SSDEEP

24576:AuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nfpt:Q9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002E90000-0x0000000002E91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

UI0Detect.exewbengine.exelpksetup.exe

pid process

2876 UI0Detect.exe
1832 wbengine.exe
1272 lpksetup.exe
Loads dropped DLL 7 IoCs

Processes:

UI0Detect.exewbengine.exelpksetup.exe

pid process

1192
2876 UI0Detect.exe
1192
1832 wbengine.exe
1192
1272 lpksetup.exe
1192

pid	process
2876	UI0Detect.exe
1832	wbengine.exe
1272	lpksetup.exe

pid	process
1192
2876	UI0Detect.exe
1192
1832	wbengine.exe
1192
1272	lpksetup.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\KQAYXC~1\\wbengine.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeUI0Detect.exewbengine.exelpksetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2628	1192	UI0Detect.exe
PID 1192 wrote to memory of 2628	1192	UI0Detect.exe
PID 1192 wrote to memory of 2628	1192	UI0Detect.exe
PID 1192 wrote to memory of 2876	1192	UI0Detect.exe
PID 1192 wrote to memory of 2876	1192	UI0Detect.exe
PID 1192 wrote to memory of 2876	1192	UI0Detect.exe
PID 1192 wrote to memory of 2664	1192	wbengine.exe
PID 1192 wrote to memory of 2664	1192	wbengine.exe
PID 1192 wrote to memory of 2664	1192	wbengine.exe
PID 1192 wrote to memory of 1832	1192	wbengine.exe
PID 1192 wrote to memory of 1832	1192	wbengine.exe
PID 1192 wrote to memory of 1832	1192	wbengine.exe
PID 1192 wrote to memory of 1488	1192	lpksetup.exe
PID 1192 wrote to memory of 1488	1192	lpksetup.exe
PID 1192 wrote to memory of 1488	1192	lpksetup.exe
PID 1192 wrote to memory of 1272	1192	lpksetup.exe
PID 1192 wrote to memory of 1272	1192	lpksetup.exe
PID 1192 wrote to memory of 1272	1192	lpksetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f215b4fabb14768f115195da3c9dad3a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2508

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:2628

C:\Users\Admin\AppData\Local\w4gZStXK\UI0Detect.exe
C:\Users\Admin\AppData\Local\w4gZStXK\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2876

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:2664

C:\Users\Admin\AppData\Local\0H1wE\wbengine.exe
C:\Users\Admin\AppData\Local\0H1wE\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1832

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1488

C:\Users\Admin\AppData\Local\y8mhcXe\lpksetup.exe
C:\Users\Admin\AppData\Local\y8mhcXe\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0H1wE\XmlLite.dll

Filesize
1.2MB

MD5
41ce6ee7a540676a8428ff8c8328764f

SHA1
37b689212ec870ef6eeb2bbdfec59ae59d764e57

SHA256
a9bd4ffb8e4b5a9665008e75cf0673cf283ffb47d055a5c46a345a01aaf423cc

SHA512
326eee92763ffea4c1b6220dc53ba09c9b71d6fd66157e41e5808971800a567bd6a39ce7dc42fc54eafcaedfabd67c7bd3b974e6e15b015116a80969189de6e0

Download Submit
C:\Users\Admin\AppData\Local\w4gZStXK\WTSAPI32.dll

Filesize
1.2MB

MD5
8f437b49a9a1bd67da877eec1f52e1e8

SHA1
a6475a6eacbdae88dba3b823dc38c126c3cb6e6e

SHA256
77d53d6bac23ca080d32a39a1042b5e0f81730f071f1e63ade28cf4e964ade5d

SHA512
98bb3c8f061257c1960c47093d4c39366967dea1248fbd1a8373b44e7933fa757358c74b184d4f848a6908ee93e36ad1195254e21e7ec9f9ba89562c8f0bdf7a

Download Submit
C:\Users\Admin\AppData\Local\y8mhcXe\slc.dll

Filesize
1.2MB

MD5
22e15fc9521480461aa2ea9ef4e2b489

SHA1
c3b92104e82a8cf9a2c8a7c61e86bef9d8127647

SHA256
966fcf3b3161ff4edf63ba21efaf275e31e528fd02b18372035e00d6e5f0230a

SHA512
a2dcad6f496e1cc0bdd263a14b62cfd6730d87117006101ac0807ee668bb7c153b77355456125abcec4761018eb9496592f2d52e60f5250ea4c6f67216359adc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
21c6468576fa03d701a08b8c2cf6fa3a

SHA1
abdd87b9f658d2072ed42f1d5ce324e08896294f

SHA256
23f5495f9534f8a61e7187cdaaa195c0d64096a0ab6256621e56d6e53ecd5f13

SHA512
a16030c4e6be18b9c55957ac789e9afd0c1ccfea2d993665ac6a205a9648a595e8fb8cf9de130cbd9b18dc8eeb80c65336b560883f08d07452e85107d09466e8

Download Submit
\Users\Admin\AppData\Local\0H1wE\wbengine.exe

Filesize
1.4MB

MD5
78f4e7f5c56cb9716238eb57da4b6a75

SHA1
98b0b9db6ec5961dbb274eff433a8bc21f7e557b

SHA256
46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

SHA512
1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

Download Submit
\Users\Admin\AppData\Local\w4gZStXK\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
\Users\Admin\AppData\Local\y8mhcXe\lpksetup.exe

Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
memory/1192-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-26-0x0000000077231000-0x0000000077232000-memory.dmp

Filesize
4KB

Download
memory/1192-25-0x0000000002AB0000-0x0000000002AB7000-memory.dmp

Filesize
28KB

Download
memory/1192-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-30-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/1192-4-0x0000000077126000-0x0000000077127000-memory.dmp

Filesize
4KB

Download
memory/1192-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1192-46-0x0000000077126000-0x0000000077127000-memory.dmp

Filesize
4KB

Download
memory/1192-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1272-91-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1272-97-0x000007FEF6340000-0x000007FEF6471000-memory.dmp

Filesize
1.2MB

Download
memory/1832-73-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1832-74-0x000007FEF6340000-0x000007FEF6471000-memory.dmp

Filesize
1.2MB

Download
memory/1832-79-0x000007FEF6340000-0x000007FEF6471000-memory.dmp

Filesize
1.2MB

Download
memory/2508-45-0x000007FEF6350000-0x000007FEF6480000-memory.dmp

Filesize
1.2MB

Download
memory/2508-0-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2508-1-0x000007FEF6350000-0x000007FEF6480000-memory.dmp

Filesize
1.2MB

Download
memory/2876-61-0x000007FEF6960000-0x000007FEF6A91000-memory.dmp

Filesize
1.2MB

Download
memory/2876-60-0x00000000FF870000-0x00000000FF87E000-memory.dmp

Filesize
56KB

Download
memory/2876-55-0x000007FEF6960000-0x000007FEF6A91000-memory.dmp

Filesize
1.2MB

Download
memory/2876-54-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads