dridex | de768935312e545c65bc8eb1f91461fb2729fcb0517af6efdbdca5c9b6cb6c66

General

Target

1ac433a51896469ce8de0c2112476c6b_JaffaCakes118.dll
Size

987KB
MD5

1ac433a51896469ce8de0c2112476c6b
SHA1

5c865ccaac2a42edeeca9faa7928a8b578fc95d5
SHA256

de768935312e545c65bc8eb1f91461fb2729fcb0517af6efdbdca5c9b6cb6c66
SHA512

112a8ba84ca41f00c0fe649b70453f07851a973ec018488fab0ec5e57bc28378f4c520ea607e31f8251163cfa8a6c69b7d2352609ab0d917a7d4319f07aef4d4
SSDEEP

24576:6VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:6V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1144-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

tabcal.exerrinstaller.exeraserver.exe

pid process

2652 tabcal.exe
1604 rrinstaller.exe
2672 raserver.exe
Loads dropped DLL 7 IoCs

Processes:

tabcal.exerrinstaller.exeraserver.exe

pid process

1144
2652 tabcal.exe
1144
1604 rrinstaller.exe
1144
2672 raserver.exe
1144

pid	process
2652	tabcal.exe
1604	rrinstaller.exe
2672	raserver.exe

pid	process
1144
2652	tabcal.exe
1144
1604	rrinstaller.exe
1144
2672	raserver.exe
1144

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\9IrGNGm\\rrinstaller.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

tabcal.exerrinstaller.exeraserver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1948	regsvr32.exe
1948	regsvr32.exe
1948	regsvr32.exe
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1144 wrote to memory of 2548	1144	tabcal.exe
PID 1144 wrote to memory of 2548	1144	tabcal.exe
PID 1144 wrote to memory of 2548	1144	tabcal.exe
PID 1144 wrote to memory of 2652	1144	tabcal.exe
PID 1144 wrote to memory of 2652	1144	tabcal.exe
PID 1144 wrote to memory of 2652	1144	tabcal.exe
PID 1144 wrote to memory of 1716	1144	rrinstaller.exe
PID 1144 wrote to memory of 1716	1144	rrinstaller.exe
PID 1144 wrote to memory of 1716	1144	rrinstaller.exe
PID 1144 wrote to memory of 1604	1144	rrinstaller.exe
PID 1144 wrote to memory of 1604	1144	rrinstaller.exe
PID 1144 wrote to memory of 1604	1144	rrinstaller.exe
PID 1144 wrote to memory of 2376	1144	raserver.exe
PID 1144 wrote to memory of 2376	1144	raserver.exe
PID 1144 wrote to memory of 2376	1144	raserver.exe
PID 1144 wrote to memory of 2672	1144	raserver.exe
PID 1144 wrote to memory of 2672	1144	raserver.exe
PID 1144 wrote to memory of 2672	1144	raserver.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1ac433a51896469ce8de0c2112476c6b_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\cDH73Dvs\tabcal.exe
C:\Users\Admin\AppData\Local\cDH73Dvs\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2652

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:1716

C:\Users\Admin\AppData\Local\HMd\rrinstaller.exe
C:\Users\Admin\AppData\Local\HMd\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1604

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2376

C:\Users\Admin\AppData\Local\vVdfK\raserver.exe
C:\Users\Admin\AppData\Local\vVdfK\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2672

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HMd\MFPlat.DLL
Filesize
993KB

MD5
9f2b4d55d2b6c419b07ffffca81422e0

SHA1
c6b88f540b3627820367bc54b5bf337ed212deb6

SHA256
ef3b6d5c02262fe3954de8e81f9eb9edf56292d5e06e1edbcb5c7c9e7ac35617

SHA512
b24781f48a8901388f3f6b1759d6d40f5473e4123c739e9f426a02b21b98fe491b5bbaabba23cdeba2ec9629ba2ce78ceeef0c22fb599c37077bffd5a4365ce0

Download Submit
C:\Users\Admin\AppData\Local\cDH73Dvs\HID.DLL
Filesize
989KB

MD5
a7e2326941bdcc53f64a3b02bc565237

SHA1
603d9ec08b7720f16f02ee6f46e24f28f1ca00a9

SHA256
7a50e6143b2700eb60a27a757567ec5700455d065ceca0bd63213a5309d20561

SHA512
e77eb7e62ee292045195d7e99860a441693710e328eb7d3516eabbd156c238f4bc7de84c0459a826938d17c3772eb139e0d718dc31e6e523d5aa6c639a003c5e

Download Submit
C:\Users\Admin\AppData\Local\vVdfK\WTSAPI32.dll
Filesize
989KB

MD5
b51b35c43397841ba00e0aaabc648b0c

SHA1
2ce7aab8686ebc5a4fbb52bb4e1eb0e8c67e8758

SHA256
0c09c1b9cdb75a56f7af50a42a3af9cabb8a44221daade9fe0cf71fe9b24261c

SHA512
b2aec65ffd489210b63d31e936321cfdc246448e8143a15b7f9f922b9debd4e8ef5077f06eed7dec99ee976d1377e87cbaadb5dd55a651713b02631e3d481577

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
208ffd0167a44fb3248a1a1e9aed1a2f

SHA1
3cbe15be39991c388e1159e15997221fa700cb6b

SHA256
742923d2bb2eecc147bd51ceb8a242f462b1deb62ee43e1c4acb989a7bec651d

SHA512
358c5ccb1e1bfba2a57a11f312bb35631f7e68647663c4320c6ea63560278957ced881107faf41ff792ffb571aa424ba6829c3d579248a8eb3f72ff478a894ce

Download Submit
\Users\Admin\AppData\Local\HMd\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\cDH73Dvs\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\vVdfK\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
memory/1144-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-24-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

Filesize
28KB

Download
memory/1144-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-26-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1144-25-0x0000000077711000-0x0000000077712000-memory.dmp

Filesize
4KB

Download
memory/1144-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-4-0x0000000077506000-0x0000000077507000-memory.dmp

Filesize
4KB

Download
memory/1144-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1144-73-0x0000000077506000-0x0000000077507000-memory.dmp

Filesize
4KB

Download
memory/1144-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1144-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1604-70-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1604-74-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/1604-75-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1948-3-0x00000000002C0000-0x00000000002C7000-memory.dmp

Filesize
28KB

Download
memory/1948-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1948-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2652-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2652-53-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2652-52-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2672-87-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2672-93-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads