dridex | afd7750169a65f560917f45bdad20b3785d3b8ea3bb4e4335d6a978ceec931ad

General

Target

f7438adb2b9d8c162cdf100bec85ad75_JaffaCakes118.dll
Size

1.2MB
MD5

f7438adb2b9d8c162cdf100bec85ad75
SHA1

f0f7120fb5ed5cad398c73272d21335f3c63ab5f
SHA256

afd7750169a65f560917f45bdad20b3785d3b8ea3bb4e4335d6a978ceec931ad
SHA512

43624aeb1fd754fd98b02e6bac5e08fe64307ab2f393d8493dda6b2bed8550a01d03ed4730a81c04abc40239c46413f40a81c73565a4a8b6e7c4e8f47aa764ef
SSDEEP

24576:3uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:59cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-5-0x0000000002F00000-0x0000000002F01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exeBdeUISrv.exeSystemPropertiesAdvanced.exe

pid process

2688 SoundRecorder.exe
2036 BdeUISrv.exe
2004 SystemPropertiesAdvanced.exe
Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exeBdeUISrv.exeSystemPropertiesAdvanced.exe

pid process

1216
2688 SoundRecorder.exe
1216
2036 BdeUISrv.exe
1216
2004 SystemPropertiesAdvanced.exe
1216

pid	process
2688	SoundRecorder.exe
2036	BdeUISrv.exe
2004	SystemPropertiesAdvanced.exe

pid	process
1216
2688	SoundRecorder.exe
1216
2036	BdeUISrv.exe
1216
2004	SystemPropertiesAdvanced.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\Xyd239\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSoundRecorder.exeBdeUISrv.exeSystemPropertiesAdvanced.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1800	rundll32.exe
1800	rundll32.exe
1800	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 2704	1216	SoundRecorder.exe
PID 1216 wrote to memory of 2704	1216	SoundRecorder.exe
PID 1216 wrote to memory of 2704	1216	SoundRecorder.exe
PID 1216 wrote to memory of 2688	1216	SoundRecorder.exe
PID 1216 wrote to memory of 2688	1216	SoundRecorder.exe
PID 1216 wrote to memory of 2688	1216	SoundRecorder.exe
PID 1216 wrote to memory of 2772	1216	BdeUISrv.exe
PID 1216 wrote to memory of 2772	1216	BdeUISrv.exe
PID 1216 wrote to memory of 2772	1216	BdeUISrv.exe
PID 1216 wrote to memory of 2036	1216	BdeUISrv.exe
PID 1216 wrote to memory of 2036	1216	BdeUISrv.exe
PID 1216 wrote to memory of 2036	1216	BdeUISrv.exe
PID 1216 wrote to memory of 484	1216	SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 484	1216	SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 484	1216	SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2004	1216	SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2004	1216	SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2004	1216	SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7438adb2b9d8c162cdf100bec85ad75_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2704

C:\Users\Admin\AppData\Local\gsm742h6\SoundRecorder.exe
C:\Users\Admin\AppData\Local\gsm742h6\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2688

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2772

C:\Users\Admin\AppData\Local\szO\BdeUISrv.exe
C:\Users\Admin\AppData\Local\szO\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2036

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:484

C:\Users\Admin\AppData\Local\mQ2AQR\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\mQ2AQR\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gsm742h6\WINMM.dll

Filesize
1.2MB

MD5
414678d38c888f6959135f0b64da438f

SHA1
e936179e8767ca9a69204d11f259fcd0e7d33670

SHA256
8354ae3ff4bad8a076b927c923cbf85cd750473fa298f40ee8cfc1c7c2db1944

SHA512
79e2af34470162985d236a04ada4b1503b759056500b03f8c52aceb265e407fd82d97e4738fceea954b810329662ec3cfd84e4b07e97def0c573cdefb265d2fc

Download Submit
C:\Users\Admin\AppData\Local\mQ2AQR\SYSDM.CPL

Filesize
1.2MB

MD5
ea613f6f67c2a41d43f9f7a1fc22f54e

SHA1
f842ffdc72bd6c8cb2654d95f461d2e7bb26d14a

SHA256
7a193c003d1d9e2e5ce5644da86dc5e455053523ca1680c87300ea0a1148695b

SHA512
a152c3f4f0c38093872c05e869e469a5ad6e768767744262fbbe3eee2c647e621656dab1cf858320736472495f64b410501777fd3092ece94a7e49522e250744

Download Submit
C:\Users\Admin\AppData\Local\szO\WTSAPI32.dll

Filesize
1.2MB

MD5
b1a4dc943eaf1584034b74ad00519360

SHA1
23966ef5fa6acd73710ecd9ecd23c961ac9253cf

SHA256
e601c10648e453d1779995bce035eb66d468d5860b5c77b2df5d1ebfd8796e16

SHA512
e7b4d259ad9383f4d86ae71811561a955979401df9be1e44fe64f21a7656a06dc681cab35f111a05fd7562a20957840c72b86bccb48148ad39b75dc2de179d7f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
4c85d99d1efb5f5748d14c29015f28c7

SHA1
bb21c85da6c670408e39459b63d6b8ea5d2238b3

SHA256
d66faf685e690810c8f5dcf22d3d2c9e58ec0d657f135a7d9cd35cbbdd194683

SHA512
0c955047bbea24e5391369b10ec0242e90fa3cb6f5718db3a7d907ac28dc4cf1bbafc578f022837ad97b74f512670456aa776ace4e4d8389925d467d5d90fd0b

Download Submit
\Users\Admin\AppData\Local\gsm742h6\SoundRecorder.exe

Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
\Users\Admin\AppData\Local\mQ2AQR\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\szO\BdeUISrv.exe

Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
memory/1216-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-25-0x0000000002EE0000-0x0000000002EE7000-memory.dmp

Filesize
28KB

Download
memory/1216-4-0x00000000774D6000-0x00000000774D7000-memory.dmp

Filesize
4KB

Download
memory/1216-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-26-0x00000000775E1000-0x00000000775E2000-memory.dmp

Filesize
4KB

Download
memory/1216-27-0x0000000077770000-0x0000000077772000-memory.dmp

Filesize
8KB

Download
memory/1216-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-5-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1216-46-0x00000000774D6000-0x00000000774D7000-memory.dmp

Filesize
4KB

Download
memory/1216-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1800-45-0x000007FEF66E0000-0x000007FEF6810000-memory.dmp

Filesize
1.2MB

Download
memory/1800-0-0x000007FEF66E0000-0x000007FEF6810000-memory.dmp

Filesize
1.2MB

Download
memory/1800-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2004-89-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/2004-95-0x000007FEF66D0000-0x000007FEF6801000-memory.dmp

Filesize
1.2MB

Download
memory/2036-72-0x000007FEF66D0000-0x000007FEF6801000-memory.dmp

Filesize
1.2MB

Download
memory/2036-77-0x000007FEF66D0000-0x000007FEF6801000-memory.dmp

Filesize
1.2MB

Download
memory/2688-60-0x000007FEF6CF0000-0x000007FEF6E22000-memory.dmp

Filesize
1.2MB

Download
memory/2688-55-0x000007FEF6CF0000-0x000007FEF6E22000-memory.dmp

Filesize
1.2MB

Download
memory/2688-54-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads