dridex | 59d9e70834bb6d70b2174b5d11706ecb7cea61f4ab905c986aa98448edc76367

General

Target

07a15ed8751def5bbf538964fbf993b0_JaffaCakes118.dll
Size

990KB
MD5

07a15ed8751def5bbf538964fbf993b0
SHA1

a04388f19678f0a1991115224a6a2e7c669d3a90
SHA256

59d9e70834bb6d70b2174b5d11706ecb7cea61f4ab905c986aa98448edc76367
SHA512

00d92eb16d19ba3994fa0b72a98e636d3cc929386d98657e7b73bf532412f9e12ece449379190bb0251cf4b62d5a1b6147294776c206c434942fd16c52c7a20c
SSDEEP

24576:pVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:pV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3324-4-0x0000000002C40000-0x0000000002C41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

Narrator.exerdpinit.exeddodiag.exeBdeUISrv.exe

pid process

4400 Narrator.exe
1504 rdpinit.exe
4236 ddodiag.exe
3660 BdeUISrv.exe
Loads dropped DLL 3 IoCs

Processes:

rdpinit.exeddodiag.exeBdeUISrv.exe

pid process

1504 rdpinit.exe
4236 ddodiag.exe
3660 BdeUISrv.exe

pid	process
4400	Narrator.exe
1504	rdpinit.exe
4236	ddodiag.exe
3660	BdeUISrv.exe

pid	process
1504	rdpinit.exe
4236	ddodiag.exe
3660	BdeUISrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ramyketlbwvbqf = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\HPjxtKap\\ddodiag.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ddodiag.exeBdeUISrv.exerundll32.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3324
3324
3324
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3324
3324
3324
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3324

pid	process
3324
3324
3324

pid	process
3324
3324
3324

pid	process
3324

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3324 wrote to memory of 4932	3324	Narrator.exe
PID 3324 wrote to memory of 4932	3324	Narrator.exe
PID 3324 wrote to memory of 1572	3324	rdpinit.exe
PID 3324 wrote to memory of 1572	3324	rdpinit.exe
PID 3324 wrote to memory of 1504	3324	rdpinit.exe
PID 3324 wrote to memory of 1504	3324	rdpinit.exe
PID 3324 wrote to memory of 5400	3324	ddodiag.exe
PID 3324 wrote to memory of 5400	3324	ddodiag.exe
PID 3324 wrote to memory of 4236	3324	ddodiag.exe
PID 3324 wrote to memory of 4236	3324	ddodiag.exe
PID 3324 wrote to memory of 4340	3324	BdeUISrv.exe
PID 3324 wrote to memory of 4340	3324	BdeUISrv.exe
PID 3324 wrote to memory of 3660	3324	BdeUISrv.exe
PID 3324 wrote to memory of 3660	3324	BdeUISrv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07a15ed8751def5bbf538964fbf993b0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1480

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:4932

C:\Users\Admin\AppData\Local\J2ZRO\Narrator.exe
C:\Users\Admin\AppData\Local\J2ZRO\Narrator.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1572

C:\Users\Admin\AppData\Local\9ApvV\rdpinit.exe
C:\Users\Admin\AppData\Local\9ApvV\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1504

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:5400

C:\Users\Admin\AppData\Local\zsaRQu\ddodiag.exe
C:\Users\Admin\AppData\Local\zsaRQu\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4236

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:4340

C:\Users\Admin\AppData\Local\0Kg\BdeUISrv.exe
C:\Users\Admin\AppData\Local\0Kg\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0Kg\BdeUISrv.exe
Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\0Kg\WTSAPI32.dll
Filesize
992KB

MD5
715e2a79cdf9cfa81c186236f32bde31

SHA1
9755948d6427a30507a4cc370be205a12f1043e6

SHA256
732bca201c592b98b26298aba8eea4d7f7b517bf3be21ed8197f843e12eca4b0

SHA512
9419a7b2a203d1e471c21ed7ae34785cb7a0ae63a8332c5900c5361be1f0bae361ec80d2c9bfc9daa01530089b6391860d2cfbf9229878498601ef5b4cb699b0

Download Submit
C:\Users\Admin\AppData\Local\9ApvV\WINSTA.dll
Filesize
997KB

MD5
76762e15002205fd91e6ff07617fc0e7

SHA1
bb4a8d89b447fa42a4200846d84dbd3bffab34eb

SHA256
3ebc21d80959f8e319dc28bc4bd8aeff66263e4b9e1e6ca7a24f4969065a96e8

SHA512
267850bd197ce285d5f4c4a039e35e071dd19961be09792445fd3cd37611d6591b491056607c851f53e852cbf71730531069311aedbac8725f3f001cae7e2161

Download Submit
C:\Users\Admin\AppData\Local\9ApvV\rdpinit.exe
Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\J2ZRO\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\zsaRQu\XmlLite.dll
Filesize
990KB

MD5
804be1722c6bb261e4b62a5b034464dc

SHA1
ca375e50e95570763148eea224e5ca5fe83cee34

SHA256
563a90fc6bd14c52ebe86fc3a8eea4e454d6cc70ff150da248aaf2be3d451406

SHA512
4de05c7090dc1214739a8bcf17bc2d2ea7413eb7e7470dbecf29251f20f109801ce11bccd822e658608b2393500e526926633364f418ad99f3c87887f7d9f38f

Download Submit
C:\Users\Admin\AppData\Local\zsaRQu\ddodiag.exe
Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehesgegqlj.lnk
Filesize
1KB

MD5
81527ea0c1211dd44635dfcbd3e3fa87

SHA1
f75e634ce7e4d1b97fbd11e2939f0fb1b76298c3

SHA256
34eda07bc55caf5af80053604cfa595a838520025e0b64d790a040eb26be3a53

SHA512
d53e3ef362d26d41c466584da05279928a38af337b38ceb45b11fbf4063f31e7b5b4d2120464ee1a5ab19773f91417f88aa15708a3000e812c00998a98f04860

Download Submit
memory/1480-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1480-38-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1480-3-0x00000251A69C0000-0x00000251A69C7000-memory.dmp

Filesize
28KB

Download
memory/1504-59-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/1504-54-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/1504-53-0x0000017956A50000-0x0000017956A57000-memory.dmp

Filesize
28KB

Download
memory/3324-33-0x0000000000F10000-0x0000000000F17000-memory.dmp

Filesize
28KB

Download
memory/3324-35-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-6-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-32-0x00007FFA2E77A000-0x00007FFA2E77B000-memory.dmp

Filesize
4KB

Download
memory/3324-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-34-0x00007FFA2E9F0000-0x00007FFA2EA00000-memory.dmp

Filesize
64KB

Download
memory/3324-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-4-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/3324-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3324-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3660-90-0x000001B92CDE0000-0x000001B92CDE7000-memory.dmp

Filesize
28KB

Download
memory/3660-93-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4236-76-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4236-73-0x0000023EA8330000-0x0000023EA8337000-memory.dmp

Filesize
28KB

Download
memory/4236-70-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads