dridex | 9a5fafe9f2709e56150afa4f94b4a157fd75ae0cbd85f3df661c912278392f7a

General

Target

166efc8a667e3cfb33844e03296e97eb_JaffaCakes118.dll
Size

986KB
MD5

166efc8a667e3cfb33844e03296e97eb
SHA1

bd5d5ea491654f42528d67a181b1f2cc69a13ce1
SHA256

9a5fafe9f2709e56150afa4f94b4a157fd75ae0cbd85f3df661c912278392f7a
SHA512

05124728e76803ccf20dcdbd3c3ba39f62b535997c9f5129a03fe8adf7b7f0b441d7402905728fd133a1a93fe7a7b4d152da242892564dc567abd95d4dd08a6e
SSDEEP

24576:PVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:PV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002090000-0x0000000002091000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wscript.exerdpclip.exemspaint.exe

pid process

2552 wscript.exe
2616 rdpclip.exe
2276 mspaint.exe
Loads dropped DLL 8 IoCs

Processes:

wscript.exerdpclip.exemspaint.exe

pid process

1192
1192
2552 wscript.exe
1192
2616 rdpclip.exe
1192
2276 mspaint.exe
1192

pid	process
2552	wscript.exe
2616	rdpclip.exe
2276	mspaint.exe

pid	process
1192
1192
2552	wscript.exe
1192
2616	rdpclip.exe
1192
2276	mspaint.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\TmyY\\rdpclip.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewscript.exerdpclip.exemspaint.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2992	rundll32.exe
2992	rundll32.exe
2992	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2644	1192	wscript.exe
PID 1192 wrote to memory of 2644	1192	wscript.exe
PID 1192 wrote to memory of 2644	1192	wscript.exe
PID 1192 wrote to memory of 2552	1192	wscript.exe
PID 1192 wrote to memory of 2552	1192	wscript.exe
PID 1192 wrote to memory of 2552	1192	wscript.exe
PID 1192 wrote to memory of 1776	1192	rdpclip.exe
PID 1192 wrote to memory of 1776	1192	rdpclip.exe
PID 1192 wrote to memory of 1776	1192	rdpclip.exe
PID 1192 wrote to memory of 2616	1192	rdpclip.exe
PID 1192 wrote to memory of 2616	1192	rdpclip.exe
PID 1192 wrote to memory of 2616	1192	rdpclip.exe
PID 1192 wrote to memory of 1236	1192	mspaint.exe
PID 1192 wrote to memory of 1236	1192	mspaint.exe
PID 1192 wrote to memory of 1236	1192	mspaint.exe
PID 1192 wrote to memory of 2276	1192	mspaint.exe
PID 1192 wrote to memory of 2276	1192	mspaint.exe
PID 1192 wrote to memory of 2276	1192	mspaint.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\166efc8a667e3cfb33844e03296e97eb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2644

C:\Users\Admin\AppData\Local\HnET\wscript.exe
C:\Users\Admin\AppData\Local\HnET\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:1776

C:\Users\Admin\AppData\Local\Vk4z\rdpclip.exe
C:\Users\Admin\AppData\Local\Vk4z\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2616

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1236

C:\Users\Admin\AppData\Local\kExB9etsz\mspaint.exe
C:\Users\Admin\AppData\Local\kExB9etsz\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2276

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HnET\VERSION.dll
Filesize
987KB

MD5
845ae88336e50a2c9b0e22674b82bece

SHA1
9b4fb9f2e15f73a7fc7c896feae419596da4e42c

SHA256
68719f84581c7c6bde21a47ad55faaa256cb0a7274a9b5b08471f5d4b4bb9a13

SHA512
c9b6a1697bc22d558732cc0c76eadba1b656ad03e81e0bed71ecf8316fbb78e95c6dc309687782ce135fcc7625bcddd93033ee9e262ef6cd4bc618cf404cb8ba

Download Submit
C:\Users\Admin\AppData\Local\Vk4z\WTSAPI32.dll
Filesize
988KB

MD5
8c7a92c5693bb7d94ab807ac453f9f3b

SHA1
081530604352d41b776945d1377c60ecf41fb965

SHA256
effcf4005d32f0c61b8e636168292c4a35deef9b4bfc7d0e599d8e22365d87aa

SHA512
9e79d5bf0b797f77896f178c0c666e7ef3e797e42c6bfe653014c7da22ddd0a4ad31033f294c76df70bf16a30cd1bea43367e5494ed67a0cd562043ef504e4af

Download Submit
C:\Users\Admin\AppData\Local\kExB9etsz\MFC42u.dll
Filesize
1014KB

MD5
68d9198471ef04026ef891625a9dfc42

SHA1
fc3a161ddc58623ed69fcf45dbbc490c4bd7d779

SHA256
45dcace3d1b02d41e0b2aaa458bc381e0546ef521aa4cb39dc5d2ffd94dc62c4

SHA512
ded190acae77113a4f06b74b1ac45ed7dcb1e31c77864e271d5d2fe79cb80302a420870b29db8e7c83ffdf46a1ad0f5b14342d96f415c4cdfa17eb7836b70bab

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
f278e2641852572841a9f66b259d387b

SHA1
2a463f8eefe23508ab4b4e9981c19929f1d585d0

SHA256
13b4e0cc768de59c349545f8c6b5bd4812516af1938a68d346a75b70e148bd4f

SHA512
f55a2c9c1194ce0632688ab57eaf55b9778124a09ff407504d8536dfc64c445078032c54d2f48bfc78f2618961d71d5e4389a5221c28054b60cd8b0987aa145a

Download Submit
\Users\Admin\AppData\Local\HnET\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\Vk4z\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\kExB9etsz\mspaint.exe
Filesize
6.4MB

MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
memory/1192-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-25-0x0000000077691000-0x0000000077692000-memory.dmp

Filesize
4KB

Download
memory/1192-24-0x0000000002070000-0x0000000002077000-memory.dmp

Filesize
28KB

Download
memory/1192-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-4-0x0000000077586000-0x0000000077587000-memory.dmp

Filesize
4KB

Download
memory/1192-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-5-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1192-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-28-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/1192-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-66-0x0000000077586000-0x0000000077587000-memory.dmp

Filesize
4KB

Download
memory/2276-95-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2276-92-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2276-97-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2552-61-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2552-55-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2552-58-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2616-77-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2616-80-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2992-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2992-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2992-3-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads