dridex | 51676b3254a014834afdaba33bdff2911b7d87613f0f23201ba14f9d78e2cf99

General

Target

ff6cd31f07d94bb47ea90f53731a97ca_JaffaCakes118.dll
Size

1.9MB
MD5

ff6cd31f07d94bb47ea90f53731a97ca
SHA1

254860df90ab5c6c2e7d8faba7ef4df7e085f3bd
SHA256

51676b3254a014834afdaba33bdff2911b7d87613f0f23201ba14f9d78e2cf99
SHA512

f8eb53555945d2b56030ad281dd04e861ff3183008dd18870ac7fe9623ef76b0679b129e2c925e4bb325675e3467194e888e8079e199df193d9e3974ded25f05
SSDEEP

12288:EVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:hfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-5-0x0000000002160000-0x0000000002161000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msdtc.exenotepad.exepsr.exe

pid process

2468 msdtc.exe
2888 notepad.exe
2040 psr.exe
Loads dropped DLL 7 IoCs

Processes:

msdtc.exenotepad.exepsr.exe

pid process

1216
2468 msdtc.exe
1216
2888 notepad.exe
1216
2040 psr.exe
1216

pid	process
2468	msdtc.exe
2888	notepad.exe
2040	psr.exe

pid	process
1216
2468	msdtc.exe
1216
2888	notepad.exe
1216
2040	psr.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\Lcr\\notepad.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdtc.exenotepad.exepsr.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 2432	1216	msdtc.exe
PID 1216 wrote to memory of 2432	1216	msdtc.exe
PID 1216 wrote to memory of 2432	1216	msdtc.exe
PID 1216 wrote to memory of 2468	1216	msdtc.exe
PID 1216 wrote to memory of 2468	1216	msdtc.exe
PID 1216 wrote to memory of 2468	1216	msdtc.exe
PID 1216 wrote to memory of 2864	1216	notepad.exe
PID 1216 wrote to memory of 2864	1216	notepad.exe
PID 1216 wrote to memory of 2864	1216	notepad.exe
PID 1216 wrote to memory of 2888	1216	notepad.exe
PID 1216 wrote to memory of 2888	1216	notepad.exe
PID 1216 wrote to memory of 2888	1216	notepad.exe
PID 1216 wrote to memory of 2296	1216	psr.exe
PID 1216 wrote to memory of 2296	1216	psr.exe
PID 1216 wrote to memory of 2296	1216	psr.exe
PID 1216 wrote to memory of 2040	1216	psr.exe
PID 1216 wrote to memory of 2040	1216	psr.exe
PID 1216 wrote to memory of 2040	1216	psr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff6cd31f07d94bb47ea90f53731a97ca_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:2432

C:\Users\Admin\AppData\Local\xSXt\msdtc.exe
C:\Users\Admin\AppData\Local\xSXt\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:2864

C:\Users\Admin\AppData\Local\KnB\notepad.exe
C:\Users\Admin\AppData\Local\KnB\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2888

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2296

C:\Users\Admin\AppData\Local\sLW\psr.exe
C:\Users\Admin\AppData\Local\sLW\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2040

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KnB\VERSION.dll
Filesize
1.9MB

MD5
fd295245d5eceb71cfc091fbb782b4aa

SHA1
a2b8318882026cc194927ea547d276d6987a2c44

SHA256
2fb40d53d0691b77269f343b4e2bacceb3fc502c22db06877bf17a92237cebbc

SHA512
2526b1a7f4e8e4e57269218c7514bca9245f1a69c3ae11cfd828143a4dac97e0c64ea3b82241eec7c48b47cc96d47f0282f6c07d7957242517e601cf718fc621

Download Submit
C:\Users\Admin\AppData\Local\sLW\XmlLite.dll
Filesize
1.9MB

MD5
99d8835cad1c7655839f5047f5edb2ee

SHA1
7559148d8b1d017b53b482362040500fae6ace68

SHA256
0a0d266db6e67c137851a9dc764b5e76ed33246271104fb940310668e8450556

SHA512
a0aadcf22c6fa6ac70a36e2b550744b6680a64d54dcd8ebb12b93caf54a358052eee5c17153ff6ba115ef0ce908f04b0cc5ccc0f88a4ea179b3852d0925ee4a0

Download Submit
C:\Users\Admin\AppData\Local\xSXt\VERSION.dll
Filesize
1.9MB

MD5
007b61a1d91aa08a5910dde419ea901e

SHA1
5b931ebfae433fb27dd5782171311801b8e5b854

SHA256
259720dd7337f5ade922a091b0b0212c57a17e8c761a79ec2ba2ab4597552259

SHA512
19dd99e9c51fc74d9f98f6d8e2bb74a43ed20165bb978a109c81b0ca13f48c0c63a7e514371a8025c2b4f3b432843a94d45c342cfd3987d603da4ec49a5eff49

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk
Filesize
1KB

MD5
584874e43f9f677a3e4c9debae9566bd

SHA1
f476a3baa00d17781db1e05ba43ad7f3421e362f

SHA256
c9cffcb2f4c1b2ab9dfc28bda03ab9c9efc5ad8a461569422c919cd5dc574978

SHA512
5ee000c230b22ea4e37dc4abc0c4a2ca4907cfc1a4ebe6b9c325443925080f916f5e5f15e5796d308b4725320e4db2af58f6f18b7868d82bc42dbc2d5d3b97de

Download Submit
\Users\Admin\AppData\Local\KnB\notepad.exe
Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\sLW\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\xSXt\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/1216-29-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-12-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-20-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-23-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-25-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-27-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-132-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1216-30-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-32-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-34-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-36-0x0000000002140000-0x0000000002147000-memory.dmp

Filesize
28KB

Download
memory/1216-42-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-33-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-31-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-28-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-26-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-24-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-22-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-21-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-19-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-17-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-15-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-14-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-18-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-10-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-9-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-7-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-43-0x00000000778F1000-0x00000000778F2000-memory.dmp

Filesize
4KB

Download
memory/1216-44-0x0000000077A50000-0x0000000077A52000-memory.dmp

Filesize
8KB

Download
memory/1216-53-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-59-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-16-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-13-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1216-4-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1216-5-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1216-11-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/2040-109-0x0000000000510000-0x0000000000517000-memory.dmp

Filesize
28KB

Download
memory/2040-113-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2468-77-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2468-72-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2468-71-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2888-91-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2888-95-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2952-8-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/2952-1-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2952-0-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads