dridex | 839c36c310b8efbe6c9519e235331c0f8c92b711dd400cf9724245a9ee70e0d0

General

Target

fedc338550b9e9edb5fb38d72531f369_JaffaCakes118.dll
Size

2.2MB
MD5

fedc338550b9e9edb5fb38d72531f369
SHA1

139da1812572278281cf5c72668af182c6703af0
SHA256

839c36c310b8efbe6c9519e235331c0f8c92b711dd400cf9724245a9ee70e0d0
SHA512

1a1e4c354386772e71cd84055bfce973b0278fc03a3151c502231de0f61a702de4bea80aed84e0eb824ebe07f0d7e70c07133165c4b420266a8581679025cc37
SSDEEP

12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1368-5-0x0000000002620000-0x0000000002621000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

raserver.exeirftp.exelpksetup.exe

pid process

2940 raserver.exe
2388 irftp.exe
1216 lpksetup.exe
Loads dropped DLL 7 IoCs

Processes:

raserver.exeirftp.exelpksetup.exe

pid process

1368
2940 raserver.exe
1368
2388 irftp.exe
1368
1216 lpksetup.exe
1368

pid	process
2940	raserver.exe
2388	irftp.exe
1216	lpksetup.exe

pid	process
1368
2940	raserver.exe
1368
2388	irftp.exe
1368
1216	lpksetup.exe
1368

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\EoKqR9\\irftp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeraserver.exeirftp.exelpksetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1368 wrote to memory of 2512	1368	raserver.exe
PID 1368 wrote to memory of 2512	1368	raserver.exe
PID 1368 wrote to memory of 2512	1368	raserver.exe
PID 1368 wrote to memory of 2940	1368	raserver.exe
PID 1368 wrote to memory of 2940	1368	raserver.exe
PID 1368 wrote to memory of 2940	1368	raserver.exe
PID 1368 wrote to memory of 1732	1368	irftp.exe
PID 1368 wrote to memory of 1732	1368	irftp.exe
PID 1368 wrote to memory of 1732	1368	irftp.exe
PID 1368 wrote to memory of 2388	1368	irftp.exe
PID 1368 wrote to memory of 2388	1368	irftp.exe
PID 1368 wrote to memory of 2388	1368	irftp.exe
PID 1368 wrote to memory of 2864	1368	lpksetup.exe
PID 1368 wrote to memory of 2864	1368	lpksetup.exe
PID 1368 wrote to memory of 2864	1368	lpksetup.exe
PID 1368 wrote to memory of 1216	1368	lpksetup.exe
PID 1368 wrote to memory of 1216	1368	lpksetup.exe
PID 1368 wrote to memory of 1216	1368	lpksetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fedc338550b9e9edb5fb38d72531f369_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2512

C:\Users\Admin\AppData\Local\MGrJ\raserver.exe
C:\Users\Admin\AppData\Local\MGrJ\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Kmj3ezg\irftp.exe
C:\Users\Admin\AppData\Local\Kmj3ezg\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2388

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:2864

C:\Users\Admin\AppData\Local\EFBC\lpksetup.exe
C:\Users\Admin\AppData\Local\EFBC\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1216

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EFBC\slc.dll
Filesize
2.2MB

MD5
8a864fd7eccd0e1808e1d3d85fad218c

SHA1
3270817d46b8fc4d00bf0e84d86fd0b58457cc08

SHA256
8d1ae23dbe09d14f6cdb9f18d3acb6a0208f42ee046e08d87e6bc84bdd5b7d32

SHA512
df1823894fceb6ae79b023a75004cbbd4b660ee2d338a3a3f947d5eada53c589001e712026c2b18d34fae7afd2cd8b7c89aebea610ff0e213059356578f08458

Download Submit
C:\Users\Admin\AppData\Local\Kmj3ezg\irftp.exe
Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
C:\Users\Admin\AppData\Local\MGrJ\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
cf50b30c12cfa7cf15090cdc630b96d5

SHA1
6dbd47a8084a84c6543327ef72e6bfd23c0a2bc4

SHA256
c0c32f28e223ed8a1b1a4353d2b71700a54c7cae02fd8dd814473eb9b58996f1

SHA512
04729357ad81a39214bdbb746f0347c0d76cc3ef8ee6ea5a0ce5023a600d4fc46d922c2e70d8e6f9638ebce9ca19c2d3c83cb71869e9aeb874cc93c122a91eee

Download Submit
\Users\Admin\AppData\Local\EFBC\lpksetup.exe
Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\Kmj3ezg\WINMM.dll
Filesize
2.2MB

MD5
1b70d6897e6f846c2b7a96dbebe64aec

SHA1
c9a192bf334dd29839eefc82a71035c8dabb8d6f

SHA256
b0234bbb2eb1db1d1a939390b691394990e912ca4ccdf82bb67ab77684d850d8

SHA512
2a4cd04911862c351ac654d948fe434f29dd9127058f0a4874de19a45a2af2b5c068bf6c3612279120421f62396cfbfd5514f6a86422c6f8167e9e03ae684f17

Download Submit
\Users\Admin\AppData\Local\MGrJ\WTSAPI32.dll
Filesize
2.2MB

MD5
bd3fa13b013b3c491a3a0d918fc31708

SHA1
96ed0cea41e7ab86543fea6bb4be5e88d4b94d4b

SHA256
322992c783bcb3a6773fa2069f23502764b8525fd3b0415106add119277c0f03

SHA512
02e37f2616d0e5eeff452bf6089059ac342fe7143d2f111caeb4795e3a8b261a9f3f143d8656f1bbada10a3e6508012ea2d62b2471bf4a15ed770bf6f4b0f240

Download Submit
memory/1216-121-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/1368-26-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-44-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-19-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-14-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-13-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-12-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-20-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-22-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-24-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-25-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-28-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-29-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-27-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-30-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-31-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-32-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-33-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-34-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-35-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-36-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-37-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-39-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-40-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-38-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-4-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1368-41-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-42-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-18-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-45-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-46-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-49-0x0000000002220000-0x0000000002227000-memory.dmp

Filesize
28KB

Download
memory/1368-48-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-47-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-43-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-23-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-21-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-56-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-57-0x0000000077B71000-0x0000000077B72000-memory.dmp

Filesize
4KB

Download
memory/1368-58-0x0000000077CD0000-0x0000000077CD2000-memory.dmp

Filesize
8KB

Download
memory/1368-67-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-73-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-75-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-17-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-16-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-5-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1368-143-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1368-7-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-9-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-15-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-11-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/1368-10-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/2008-8-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/2008-1-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/2008-0-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2388-103-0x0000000000620000-0x0000000000627000-memory.dmp

Filesize
28KB

Download
memory/2940-85-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads