dridex | fa1fffa330bfe6478d3a53ffa67b6e24acb51f3f99582a740dca8593c0afc5b7

General

Target

ff148ec8e1536ee937ede7b13205c52d_JaffaCakes118.dll
Size

1.7MB
MD5

ff148ec8e1536ee937ede7b13205c52d
SHA1

af858e0fd33f98e6116193851fa1091f8861513b
SHA256

fa1fffa330bfe6478d3a53ffa67b6e24acb51f3f99582a740dca8593c0afc5b7
SHA512

20cacc370c125880a2e21f50ee1f624575974a3e5148b108d63c1b43957b75c8c44b1fd505f815dfbccfc04ea00a5ef7795c8af876d2e415554754b7db894744
SSDEEP

12288:HVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1p:ufP7fWsK5z9A+WGAW+V5SB6Ct4bnbp

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3240-4-0x0000000002B20000-0x0000000002B21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesPerformance.exerdpclip.exeSnippingTool.exe

pid process

4072 SystemPropertiesPerformance.exe
4080 rdpclip.exe
4808 SnippingTool.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesPerformance.exerdpclip.exeSnippingTool.exe

pid process

4072 SystemPropertiesPerformance.exe
4080 rdpclip.exe
4808 SnippingTool.exe

pid	process
4072	SystemPropertiesPerformance.exe
4080	rdpclip.exe
4808	SnippingTool.exe

pid	process
4072	SystemPropertiesPerformance.exe
4080	rdpclip.exe
4808	SnippingTool.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3808065738-1666277613-1125846146-1000\\6QIc\\rdpclip.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesPerformance.exerdpclip.exeSnippingTool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SnippingTool.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2648	rundll32.exe
2648	rundll32.exe
2648	rundll32.exe
2648	rundll32.exe
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3240 wrote to memory of 2676	3240	SystemPropertiesPerformance.exe
PID 3240 wrote to memory of 2676	3240	SystemPropertiesPerformance.exe
PID 3240 wrote to memory of 4072	3240	SystemPropertiesPerformance.exe
PID 3240 wrote to memory of 4072	3240	SystemPropertiesPerformance.exe
PID 3240 wrote to memory of 4120	3240	rdpclip.exe
PID 3240 wrote to memory of 4120	3240	rdpclip.exe
PID 3240 wrote to memory of 4080	3240	rdpclip.exe
PID 3240 wrote to memory of 4080	3240	rdpclip.exe
PID 3240 wrote to memory of 2268	3240	SnippingTool.exe
PID 3240 wrote to memory of 2268	3240	SnippingTool.exe
PID 3240 wrote to memory of 4808	3240	SnippingTool.exe
PID 3240 wrote to memory of 4808	3240	SnippingTool.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff148ec8e1536ee937ede7b13205c52d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2676

C:\Users\Admin\AppData\Local\q4Yj2LeT\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\q4Yj2LeT\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4072

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:4120

C:\Users\Admin\AppData\Local\Nw8OxAk\rdpclip.exe
C:\Users\Admin\AppData\Local\Nw8OxAk\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4080

C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
1⤵
PID:2268

C:\Users\Admin\AppData\Local\EGKC6h\SnippingTool.exe
C:\Users\Admin\AppData\Local\EGKC6h\SnippingTool.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EGKC6h\SnippingTool.exe
Filesize
3.2MB

MD5
f06d69f2fdd4d6a4e16f55769b7dccc1

SHA1
735eb9b032d924b59a8767b9d49bdb88bed05220

SHA256
83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d

SHA512
ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

Download Submit
C:\Users\Admin\AppData\Local\EGKC6h\dwmapi.dll
Filesize
1.7MB

MD5
d41df7ac352d0305ae7529354c1af693

SHA1
a3de3d7b6f95538ca86ae680675f21bec295569b

SHA256
654f07d6e83db6ac3a8797044b60e92059d074a600429c272e1a287f00b8e224

SHA512
fc73e6666496a1c42e2634d07697d82a5f17da02d271a57f7452b8950f263a4d6ebe6e11b3648218d53e8ede334cd1d8840dedb4312899e891828f88c0c9c7af

Download Submit
C:\Users\Admin\AppData\Local\Nw8OxAk\WTSAPI32.dll
Filesize
1.7MB

MD5
85eee48bdbc53417470d89bb81b96f7b

SHA1
75f9f5cf96794bd3a06fe370473a13eb61a20473

SHA256
bbc25f830e4948a0a48d30476477269266efa482c2a8848c12e0b72b61ecd1b6

SHA512
0ce4c40e5c601406fb4c68bfa31ef12c54098acdbf448b7e6453e18d3193656655682efc4a9be3ef2695865ffe58b3a12a2dbe3ddaa762d7ed2478a245a878f5

Download Submit
C:\Users\Admin\AppData\Local\Nw8OxAk\rdpclip.exe
Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Local\q4Yj2LeT\SYSDM.CPL
Filesize
1.7MB

MD5
fcf4ed98a1f223495f771e30ccc4cecc

SHA1
8bd50a240b5bab5512524bc2ef855fce1b4c8e0f

SHA256
f51e5db06e415cac7f4df4e1a34b9265a26fd0a8321b0890d270d2f45d30d1ec

SHA512
32c6d854953b4c301d3dde5375179a9ad04c11dffd6329ec2159cd2a114a68e731062242b36f33b004a81bc809e899c3d6fd3a5bd572f5983cadc68cddae5301

Download Submit
C:\Users\Admin\AppData\Local\q4Yj2LeT\SystemPropertiesPerformance.exe
Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1KB

MD5
55eaf16d634fb362c788af603bd442eb

SHA1
b218c613673cb990358a417374503d5829188e42

SHA256
ebf11e61befc7f27c2ff1df30affa48abdc0465b69e12f1dbc94aebc8cf9fdbb

SHA512
3b007928267e8c72f6e9a257a16a22a8515a38d178c2b350d435fca152676def25e72834a56f36f2fc4145ee38b124106fa52098dfcd4424c291e147e15c7df8

Download Submit
memory/2648-0-0x0000026B957A0000-0x0000026B957A7000-memory.dmp

Filesize
28KB

Download
memory/2648-1-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/2648-38-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-27-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-30-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-10-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-11-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-12-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-13-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-14-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-16-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-15-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-17-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-18-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-19-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-20-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-21-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-22-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-24-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-25-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-23-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-8-0x00007FFFC314A000-0x00007FFFC314B000-memory.dmp

Filesize
4KB

Download
memory/3240-28-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-29-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-26-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-31-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-32-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-33-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-9-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-35-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-34-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-37-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-39-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-36-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-40-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-41-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-42-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-44-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-43-0x0000000000D20000-0x0000000000D27000-memory.dmp

Filesize
28KB

Download
memory/3240-51-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-52-0x00007FFFC4C60000-0x00007FFFC4C70000-memory.dmp

Filesize
64KB

Download
memory/3240-61-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-63-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-4-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/3240-6-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3240-7-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/4072-78-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/4072-72-0x000001B286A90000-0x000001B286A97000-memory.dmp

Filesize
28KB

Download
memory/4072-73-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/4080-90-0x0000023020580000-0x0000023020587000-memory.dmp

Filesize
28KB

Download
memory/4080-95-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/4808-107-0x000002DB21FA0000-0x000002DB21FA7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads