dridex | 4a5ef969e3e70f1425be5a3b05cde7838c4248b062eeb5ffee844f9df98c0f7b

General

Target

ff4969e21689a0492b239dac2fe54bd1_JaffaCakes118.dll
Size

1.9MB
MD5

ff4969e21689a0492b239dac2fe54bd1
SHA1

c6efa4e33d17189804a2256b4f52505c2d411185
SHA256

4a5ef969e3e70f1425be5a3b05cde7838c4248b062eeb5ffee844f9df98c0f7b
SHA512

a8e74a5301afd9caac08eb799c89785111e9714e27faacd5d0dda19e3d2881f4a8121ad21e0e3bdfabd41acd24b2dbd3f706e1eed72692b3865147593b66ed62
SSDEEP

12288:WVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:LfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3628-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ie4uinit.exerdpinput.exeperfmon.exe

pid process

4344 ie4uinit.exe
1672 rdpinput.exe
2040 perfmon.exe
Loads dropped DLL 5 IoCs

Processes:

ie4uinit.exerdpinput.exeperfmon.exe

pid process

4344 ie4uinit.exe
4344 ie4uinit.exe
4344 ie4uinit.exe
1672 rdpinput.exe
2040 perfmon.exe

pid	process
4344	ie4uinit.exe
1672	rdpinput.exe
2040	perfmon.exe

pid	process
4344	ie4uinit.exe
4344	ie4uinit.exe
4344	ie4uinit.exe
1672	rdpinput.exe
2040	perfmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xmqiszjymzcq = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\ldTGopESb\\rdpinput.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ie4uinit.exerdpinput.exeperfmon.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
876	rundll32.exe
876	rundll32.exe
876	rundll32.exe
876	rundll32.exe
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3628

pid	process
3628

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3628 wrote to memory of 3376	3628	ie4uinit.exe
PID 3628 wrote to memory of 3376	3628	ie4uinit.exe
PID 3628 wrote to memory of 4344	3628	ie4uinit.exe
PID 3628 wrote to memory of 4344	3628	ie4uinit.exe
PID 3628 wrote to memory of 948	3628	rdpinput.exe
PID 3628 wrote to memory of 948	3628	rdpinput.exe
PID 3628 wrote to memory of 1672	3628	rdpinput.exe
PID 3628 wrote to memory of 1672	3628	rdpinput.exe
PID 3628 wrote to memory of 1632	3628	perfmon.exe
PID 3628 wrote to memory of 1632	3628	perfmon.exe
PID 3628 wrote to memory of 2040	3628	perfmon.exe
PID 3628 wrote to memory of 2040	3628	perfmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff4969e21689a0492b239dac2fe54bd1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:3376

C:\Users\Admin\AppData\Local\eeLVCP\ie4uinit.exe
C:\Users\Admin\AppData\Local\eeLVCP\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4344

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\OPbxY\rdpinput.exe
C:\Users\Admin\AppData\Local\OPbxY\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1672

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:1632

C:\Users\Admin\AppData\Local\C3rp\perfmon.exe
C:\Users\Admin\AppData\Local\C3rp\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\C3rp\credui.dll
Filesize
1.9MB

MD5
11f2bfa0f3ec4a1e45903803c1b78f28

SHA1
43d15f85d427e2c56359b1784a5dd3cb4137e95b

SHA256
b734e10d2307cdb7f5999f90faa93c256cf9a8fc767683e5d506380815fe4c17

SHA512
9a47990044ce551a7e950f46736bc7c08cb8751972bd1fbddc72eb543f9be098b3a8b0f47e01e81dc951c02d6c88c7fad901af798445384910d35b722bd8ef78

Download Submit
C:\Users\Admin\AppData\Local\C3rp\perfmon.exe
Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Local\OPbxY\WTSAPI32.dll
Filesize
1.9MB

MD5
0757aba900805d387d0bc4a7531ca11b

SHA1
e46cd80739927976fdfdc05c0c33135a8967eed4

SHA256
72041c57ce2d1a12168d9ce7bc2e3ca66b17e9faf1cda7e627dd0edf6a59164f

SHA512
225076509f35ab0d4cfb93b802ad2f785a0f0e18187a390c2c4eb93c75c062e67589e1fb0495cc55784bb5b759aaf47f23e50ed6302f1e5de062c4a7b0b91d6b

Download Submit
C:\Users\Admin\AppData\Local\OPbxY\rdpinput.exe
Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Local\eeLVCP\VERSION.dll
Filesize
1.9MB

MD5
4a4af9e437c334840a7e830f55fb30c1

SHA1
0ef001addfb61a6c9ae792e8443185d42559aa9e

SHA256
0123fcebba7ec69e6591c98f819920a285f5484eb663623e23e8a868844045f4

SHA512
5d3f4687692de93f58f4bc4f49ea262e6416bc3da0ae7a2cd11e947eef5b098b84467cdd326f852c59e9bc87d694ea46d6237892bb20e3f51189325e1b75dd7d

Download Submit
C:\Users\Admin\AppData\Local\eeLVCP\ie4uinit.exe
Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Uajflgomesic.lnk
Filesize
1KB

MD5
d7ad033ec5dc0356268558737da90944

SHA1
9bbfc82c7b17ee380a5e179ee42c198c8a0b516a

SHA256
66a22f41ce0c4d9185d8318c18138745871ea270bfd5aacf2100ca38ebc5e99b

SHA512
0929fb7df23aa0dd87ecd802de608bc091e5b4e91332ede587db4ab01b9270f9305ebe7fe1c9be1b07893aa6e42103771145771b77310e52a63fabe665b425a3

Download Submit
memory/876-7-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/876-1-0x000001E18D770000-0x000001E18D777000-memory.dmp

Filesize
28KB

Download
memory/876-0-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1672-96-0x000001B2559F0000-0x000001B2559F7000-memory.dmp

Filesize
28KB

Download
memory/1672-95-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2040-112-0x000001EB9DDF0000-0x000001EB9DDF7000-memory.dmp

Filesize
28KB

Download
memory/3628-29-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-38-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-17-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-18-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-16-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-19-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-21-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-20-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-22-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-15-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-13-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-23-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-24-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-25-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-26-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-27-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-28-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-12-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-33-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-32-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-31-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-30-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-35-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-36-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-34-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-14-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-39-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-37-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-41-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-40-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-43-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-42-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-45-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-44-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-46-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-48-0x0000000002FB0000-0x0000000002FB7000-memory.dmp

Filesize
28KB

Download
memory/3628-47-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-55-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-56-0x00007FF9DD4C0000-0x00007FF9DD4D0000-memory.dmp

Filesize
64KB

Download
memory/3628-65-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-67-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3628-10-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-11-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-6-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3628-9-0x00007FF9DC1AA000-0x00007FF9DC1AB000-memory.dmp

Filesize
4KB

Download
memory/3628-8-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4344-78-0x000001E48EDD0000-0x000001E48EFBE000-memory.dmp

Filesize
1.9MB

Download
memory/4344-79-0x000001E48EBF0000-0x000001E48EBF7000-memory.dmp

Filesize
28KB

Download
memory/4344-84-0x000001E48EDD0000-0x000001E48EFBE000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads