dridex | 2044e2521531c1a0b7f8f2d22ac397bd632c2985e2c1e1d479bb2dcc35f9b094

General

Target

f7edf14bfa55dd4235c32177c4cba776_JaffaCakes118.dll
Size

868KB
MD5

f7edf14bfa55dd4235c32177c4cba776
SHA1

ba1bbfca1c2e05f1ae2c3390e97acbde99e28f2a
SHA256

2044e2521531c1a0b7f8f2d22ac397bd632c2985e2c1e1d479bb2dcc35f9b094
SHA512

9bb89ce389c05868b8b067fa2bff1303a474a79a15b33d77ac0ffb155ae10ba3cc9fabf0c6dcca8d830fde9760e030b9631587226876fe42a7bafa61646dc435
SSDEEP

12288:LkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:LkbHkWfzZ5adwLNGeStHntqN7v

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3276-3-0x0000000002820000-0x0000000002821000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4140-0-0x00007FFAA22F0000-0x00007FFAA23C9000-memory.dmp	dridex_payload
behavioral2/memory/3276-24-0x0000000140000000-0x00000001400D9000-memory.dmp	dridex_payload
behavioral2/memory/3276-31-0x0000000140000000-0x00000001400D9000-memory.dmp	dridex_payload
behavioral2/memory/3276-42-0x0000000140000000-0x00000001400D9000-memory.dmp	dridex_payload
behavioral2/memory/4140-45-0x00007FFAA22F0000-0x00007FFAA23C9000-memory.dmp	dridex_payload
behavioral2/memory/1232-53-0x00007FFA929C0000-0x00007FFA92ADF000-memory.dmp	dridex_payload
behavioral2/memory/1232-57-0x00007FFA929C0000-0x00007FFA92ADF000-memory.dmp	dridex_payload
behavioral2/memory/2172-68-0x00007FFA92AA0000-0x00007FFA92B7B000-memory.dmp	dridex_payload
behavioral2/memory/2172-73-0x00007FFA92AA0000-0x00007FFA92B7B000-memory.dmp	dridex_payload
behavioral2/memory/4744-84-0x00007FFA92AA0000-0x00007FFA92B7A000-memory.dmp	dridex_payload
behavioral2/memory/4744-89-0x00007FFA92AA0000-0x00007FFA92B7A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

phoneactivate.exeRdpSa.exeCloudNotifications.exe

pid process

1232 phoneactivate.exe
2172 RdpSa.exe
4744 CloudNotifications.exe
Loads dropped DLL 3 IoCs

Processes:

phoneactivate.exeRdpSa.exeCloudNotifications.exe

pid process

1232 phoneactivate.exe
2172 RdpSa.exe
4744 CloudNotifications.exe

pid	process
1232	phoneactivate.exe
2172	RdpSa.exe
4744	CloudNotifications.exe

pid	process
1232	phoneactivate.exe
2172	RdpSa.exe
4744	CloudNotifications.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfrlnvcigtdv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\FNU9DP~1\\RdpSa.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exephoneactivate.exeRdpSa.exeCloudNotifications.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	phoneactivate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4140	rundll32.exe
4140	rundll32.exe
4140	rundll32.exe
4140	rundll32.exe
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3276

pid	process
3276

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3276 wrote to memory of 928	3276	phoneactivate.exe
PID 3276 wrote to memory of 928	3276	phoneactivate.exe
PID 3276 wrote to memory of 1232	3276	phoneactivate.exe
PID 3276 wrote to memory of 1232	3276	phoneactivate.exe
PID 3276 wrote to memory of 4880	3276	RdpSa.exe
PID 3276 wrote to memory of 4880	3276	RdpSa.exe
PID 3276 wrote to memory of 2172	3276	RdpSa.exe
PID 3276 wrote to memory of 2172	3276	RdpSa.exe
PID 3276 wrote to memory of 4456	3276	CloudNotifications.exe
PID 3276 wrote to memory of 4456	3276	CloudNotifications.exe
PID 3276 wrote to memory of 4744	3276	CloudNotifications.exe
PID 3276 wrote to memory of 4744	3276	CloudNotifications.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7edf14bfa55dd4235c32177c4cba776_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4140

C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
1⤵
PID:928

C:\Users\Admin\AppData\Local\5IMF8F\phoneactivate.exe
C:\Users\Admin\AppData\Local\5IMF8F\phoneactivate.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1232

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:4880

C:\Users\Admin\AppData\Local\1Ebq\RdpSa.exe
C:\Users\Admin\AppData\Local\1Ebq\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2172

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:4456

C:\Users\Admin\AppData\Local\TEo3u4Fp\CloudNotifications.exe
C:\Users\Admin\AppData\Local\TEo3u4Fp\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1Ebq\RdpSa.exe
Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\1Ebq\WINSTA.dll
Filesize
876KB

MD5
75e0834b1ce86b3c3a288703321bfb14

SHA1
8dc368a64af2d3a5d0c875a9f963ba67f9345488

SHA256
36a6abc7e17c88d337092a9b8579c9c4c28541f455d54f465b8e322b28c2de2b

SHA512
8fa053a99e46505e0e2a9f4c8cdc48968f5d1facc139f7324560056806bc994ddd998f0cb91956fdb1b1755a53c22d51e4fb57eebfda4ca76896a79fbf020bef

Download Submit
C:\Users\Admin\AppData\Local\5IMF8F\DUI70.dll
Filesize
1.1MB

MD5
cfdd962558b78c1b045c9a72721ac6a4

SHA1
a77f2a48f64620ade6428ce11123ac72daa8915c

SHA256
1c2ffaa92bcb5ea6aa99d28cc6973a250504de89f90673849084c7dc27475d63

SHA512
ee6fb3e40e03ffe5e898770eec4709f63c6615317461887157617c3cb2b074c1f0ad8e0ce8a2b2ddb386643967b680b83f9e2f6ebe496d7e9b560570bf12f8d5

Download Submit
C:\Users\Admin\AppData\Local\5IMF8F\phoneactivate.exe
Filesize
107KB

MD5
32c31f06e0b68f349f68afdd08e45f3d

SHA1
e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

SHA256
cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

SHA512
fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

Download Submit
C:\Users\Admin\AppData\Local\TEo3u4Fp\CloudNotifications.exe
Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\TEo3u4Fp\UxTheme.dll
Filesize
872KB

MD5
18f24988d889336dd5a4521b7684e99b

SHA1
d9d023813c602b01c8558495add3865e34b0fda0

SHA256
19c3cb86b1dd4e8bb9dea7921b82dfffb0f0798c0c9584f2acc60293d3c0170e

SHA512
1e90118721858b8d3beaf16110affb820375c94d9eb904adb46fed019fae08a6979d57ae65328b0032afe092fccea6966b0ad9b6c1013b61b62f506037f11c25

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fxdlif.lnk
Filesize
1KB

MD5
e536ef69e6d41419f5e5f96dc0630f6c

SHA1
9a9a3b85838f4c44f8536b131f69ba0b5ff0fe72

SHA256
c243b7eb68edc77fdf9117945d4b758641002655432cec30a017af57961f3c48

SHA512
bf1946c262476d3816e1b8bb20effedc2199f573b26af56283a6fbb8441bd6bc76a4846ac01a880f04ed6d371db50dde524aec8ba8e2a057f20cc2ff61ca57bc

Download Submit
memory/1232-57-0x00007FFA929C0000-0x00007FFA92ADF000-memory.dmp

Filesize
1.1MB

Download
memory/1232-52-0x000002ACBECE0000-0x000002ACBECE7000-memory.dmp

Filesize
28KB

Download
memory/1232-53-0x00007FFA929C0000-0x00007FFA92ADF000-memory.dmp

Filesize
1.1MB

Download
memory/2172-68-0x00007FFA92AA0000-0x00007FFA92B7B000-memory.dmp

Filesize
876KB

Download
memory/2172-70-0x000002E527D50000-0x000002E527D57000-memory.dmp

Filesize
28KB

Download
memory/2172-73-0x00007FFA92AA0000-0x00007FFA92B7B000-memory.dmp

Filesize
876KB

Download
memory/3276-13-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-16-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-15-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-19-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-17-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-20-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-21-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-22-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-24-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-23-0x00000000009D0000-0x00000000009D7000-memory.dmp

Filesize
28KB

Download
memory/3276-31-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-32-0x00007FFAB04A0000-0x00007FFAB04B0000-memory.dmp

Filesize
64KB

Download
memory/3276-33-0x00007FFAB0490000-0x00007FFAB04A0000-memory.dmp

Filesize
64KB

Download
memory/3276-42-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-3-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3276-18-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-14-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-6-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-12-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-11-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-10-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-9-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-7-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3276-8-0x00007FFAAFA8A000-0x00007FFAAFA8B000-memory.dmp

Filesize
4KB

Download
memory/3276-5-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/4140-0-0x00007FFAA22F0000-0x00007FFAA23C9000-memory.dmp

Filesize
868KB

Download
memory/4140-45-0x00007FFAA22F0000-0x00007FFAA23C9000-memory.dmp

Filesize
868KB

Download
memory/4140-2-0x0000027B6D340000-0x0000027B6D347000-memory.dmp

Filesize
28KB

Download
memory/4744-84-0x00007FFA92AA0000-0x00007FFA92B7A000-memory.dmp

Filesize
872KB

Download
memory/4744-86-0x0000023571A40000-0x0000023571A47000-memory.dmp

Filesize
28KB

Download
memory/4744-89-0x00007FFA92AA0000-0x00007FFA92B7A000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads