dridex | 4a5ef969e3e70f1425be5a3b05cde7838c4248b062eeb5ffee844f9df98c0f7b

General

Target

ff4969e21689a0492b239dac2fe54bd1_JaffaCakes118.dll
Size

1.9MB
MD5

ff4969e21689a0492b239dac2fe54bd1
SHA1

c6efa4e33d17189804a2256b4f52505c2d411185
SHA256

4a5ef969e3e70f1425be5a3b05cde7838c4248b062eeb5ffee844f9df98c0f7b
SHA512

a8e74a5301afd9caac08eb799c89785111e9714e27faacd5d0dda19e3d2881f4a8121ad21e0e3bdfabd41acd24b2dbd3f706e1eed72692b3865147593b66ed62
SSDEEP

12288:WVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:LfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-5-0x0000000002F20000-0x0000000002F21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpinit.exeUtilman.exeMpSigStub.exe

pid process

2676 rdpinit.exe
3012 Utilman.exe
2824 MpSigStub.exe
Loads dropped DLL 7 IoCs

Processes:

rdpinit.exeUtilman.exeMpSigStub.exe

pid process

1208
2676 rdpinit.exe
1208
3012 Utilman.exe
1208
2824 MpSigStub.exe
1208

pid	process
2676	rdpinit.exe
3012	Utilman.exe
2824	MpSigStub.exe

pid	process
1208
2676	rdpinit.exe
1208
3012	Utilman.exe
1208
2824	MpSigStub.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\xhPDXc\\Utilman.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinit.exeUtilman.exeMpSigStub.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1204	rundll32.exe
1204	rundll32.exe
1204	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2616	1208	rdpinit.exe
PID 1208 wrote to memory of 2616	1208	rdpinit.exe
PID 1208 wrote to memory of 2616	1208	rdpinit.exe
PID 1208 wrote to memory of 2676	1208	rdpinit.exe
PID 1208 wrote to memory of 2676	1208	rdpinit.exe
PID 1208 wrote to memory of 2676	1208	rdpinit.exe
PID 1208 wrote to memory of 2100	1208	Utilman.exe
PID 1208 wrote to memory of 2100	1208	Utilman.exe
PID 1208 wrote to memory of 2100	1208	Utilman.exe
PID 1208 wrote to memory of 3012	1208	Utilman.exe
PID 1208 wrote to memory of 3012	1208	Utilman.exe
PID 1208 wrote to memory of 3012	1208	Utilman.exe
PID 1208 wrote to memory of 2844	1208	MpSigStub.exe
PID 1208 wrote to memory of 2844	1208	MpSigStub.exe
PID 1208 wrote to memory of 2844	1208	MpSigStub.exe
PID 1208 wrote to memory of 2824	1208	MpSigStub.exe
PID 1208 wrote to memory of 2824	1208	MpSigStub.exe
PID 1208 wrote to memory of 2824	1208	MpSigStub.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff4969e21689a0492b239dac2fe54bd1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2616

C:\Users\Admin\AppData\Local\pEtxVmMAk\rdpinit.exe
C:\Users\Admin\AppData\Local\pEtxVmMAk\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2676

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:2100

C:\Users\Admin\AppData\Local\nacIm2llG\Utilman.exe
C:\Users\Admin\AppData\Local\nacIm2llG\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3012

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\JV1\MpSigStub.exe
C:\Users\Admin\AppData\Local\JV1\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JV1\VERSION.dll
Filesize
1.9MB

MD5
cdad1eb199164949c4b60130f9a12bc8

SHA1
96fa76aaa13f07b860463371d67ed24cff39d1f1

SHA256
177454cd9e91cac17a8d28a7f568f2543183aac56d17b56a009f6feab1ff0421

SHA512
3760cb07e72f7db3f72a41effcb14df2b46585cb52a6a753c9a11c94de1f01ec973135ffa4c2336268341e9a42944553bb9b841eea9ccd319c105f6d50c7aae1

Download Submit
C:\Users\Admin\AppData\Local\pEtxVmMAk\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
C:\Users\Admin\AppData\Local\pEtxVmMAk\slc.dll
Filesize
1.9MB

MD5
02f0a7d54b75b962aaccb0d18b712bc0

SHA1
0821f25ce6e36ee7eb5d4ac9c282379c42259367

SHA256
84af17046d65819d2fa34839cc3a6a9c4a12cbfe8ea0f16e5402e5d254c09772

SHA512
f10c167d79190cd56fecbe6476851ace5e8be558937f9ee8eb34dd957ff0a77142ff4ac51118e5d57d92e36cf8fe07f569edde875686d6437c141dfd67e7dc8c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk
Filesize
1KB

MD5
a28e7e7d7de7ee4a71f701b7c88f7b10

SHA1
a444358962e533478b70d464cda3813f4db3d73e

SHA256
bd66e40e984360e251c494bdfa9820df37fecc1361812a981ba55469546d7964

SHA512
844de6a0b67563a398c97cefbb49f975f251e4629efd982911751f2fd21e515f1d10099cd525b0799acf002828ce09f0a438900fc76946c462546be71bf0bc9e

Download Submit
\Users\Admin\AppData\Local\JV1\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\nacIm2llG\DUI70.dll
Filesize
2.1MB

MD5
db9ce426e7ba49916ac637bcc119ceef

SHA1
38b6b22d1111e4478d6004cf9a3a7c2cb104036e

SHA256
5054cd4b1905344beffeffb3d3c47caeb7d3bb7af145c0d04c65d2f653baac82

SHA512
06ecafe6c4a7ce8216467ba5836352793a64f88e4b32bd54eaa4a5fc6c9d4cc78411e8ae63f7413efdef75f373a017f6ae67285ae890159043eab2539ff278a7

Download Submit
\Users\Admin\AppData\Local\nacIm2llG\Utilman.exe
Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
memory/1204-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1204-0-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1204-8-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-33-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-23-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-31-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-34-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-36-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-39-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-40-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-42-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-43-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-47-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-49-0x0000000002F00000-0x0000000002F07000-memory.dmp

Filesize
28KB

Download
memory/1208-46-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-45-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-55-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-44-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-41-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-38-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-56-0x0000000077821000-0x0000000077822000-memory.dmp

Filesize
4KB

Download
memory/1208-37-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-35-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-28-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-32-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-30-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-57-0x0000000077980000-0x0000000077982000-memory.dmp

Filesize
8KB

Download
memory/1208-27-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-26-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-24-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-29-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-21-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-20-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-19-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-16-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-15-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-13-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-11-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-10-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-25-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-7-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-5-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1208-66-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-72-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-75-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-22-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-18-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-145-0x0000000077716000-0x0000000077717000-memory.dmp

Filesize
4KB

Download
memory/1208-17-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-14-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-4-0x0000000077716000-0x0000000077717000-memory.dmp

Filesize
4KB

Download
memory/1208-12-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1208-9-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2676-84-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2824-123-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/3012-102-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads