dridex | 75a98ffedbb5dee82b11bc4a19ac10b9d58d8080ec4c4be4f70bff6ed3428cbe

General

Target

1b2ca79cca5e5492588d3d2661fc858a_JaffaCakes118.dll
Size

990KB
MD5

1b2ca79cca5e5492588d3d2661fc858a
SHA1

a7a57ae852789a84636ee60383edaf89b4b91f28
SHA256

75a98ffedbb5dee82b11bc4a19ac10b9d58d8080ec4c4be4f70bff6ed3428cbe
SHA512

416dc8c67d95eab78e7567b0a5e0a5f4f6a454ed4d663d1cfa072cb331543e6e73834bdb5b32349cc77a5b79f6d3fb61ddb5530745ac8f4a6c1934c37913f41a
SSDEEP

24576:IVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8zt:IV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-5-0x00000000024E0000-0x00000000024E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpinit.exeVaultSysUi.exetcmsetup.exe

pid process

2460 rdpinit.exe
1868 VaultSysUi.exe
1660 tcmsetup.exe
Loads dropped DLL 8 IoCs

Processes:

rdpinit.exeVaultSysUi.exetcmsetup.exe

pid process

1184
2460 rdpinit.exe
1184
1184
1868 VaultSysUi.exe
1184
1660 tcmsetup.exe
1184

pid	process
2460	rdpinit.exe
1868	VaultSysUi.exe
1660	tcmsetup.exe

pid	process
1184
2460	rdpinit.exe
1184
1184
1868	VaultSysUi.exe
1184
1660	tcmsetup.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\BNoENA\\VaultSysUi.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinit.exeVaultSysUi.exetcmsetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1736	rundll32.exe
1736	rundll32.exe
1736	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 2412	1184	rdpinit.exe
PID 1184 wrote to memory of 2412	1184	rdpinit.exe
PID 1184 wrote to memory of 2412	1184	rdpinit.exe
PID 1184 wrote to memory of 2460	1184	rdpinit.exe
PID 1184 wrote to memory of 2460	1184	rdpinit.exe
PID 1184 wrote to memory of 2460	1184	rdpinit.exe
PID 1184 wrote to memory of 1800	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1800	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1800	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1868	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1868	1184	VaultSysUi.exe
PID 1184 wrote to memory of 1868	1184	VaultSysUi.exe
PID 1184 wrote to memory of 2160	1184	tcmsetup.exe
PID 1184 wrote to memory of 2160	1184	tcmsetup.exe
PID 1184 wrote to memory of 2160	1184	tcmsetup.exe
PID 1184 wrote to memory of 1660	1184	tcmsetup.exe
PID 1184 wrote to memory of 1660	1184	tcmsetup.exe
PID 1184 wrote to memory of 1660	1184	tcmsetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b2ca79cca5e5492588d3d2661fc858a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2412

C:\Users\Admin\AppData\Local\jhl\rdpinit.exe
C:\Users\Admin\AppData\Local\jhl\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2460

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:1800

C:\Users\Admin\AppData\Local\zdHcn\VaultSysUi.exe
C:\Users\Admin\AppData\Local\zdHcn\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1868

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:2160

C:\Users\Admin\AppData\Local\9PJ\tcmsetup.exe
C:\Users\Admin\AppData\Local\9PJ\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1660

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9PJ\TAPI32.dll
Filesize
998KB

MD5
683a1bc5f8b221db657f34d6ce5ff568

SHA1
5cbc4666a9701139aef3eda0ad274f3d8adc4594

SHA256
81c16c116cd58427ed801842bf777298d8210f79bd69fd9cb24928a54dce2927

SHA512
aed27d3b412c0669a82fa79a515b7770387e668383495fff838bfa0546719dc4cab084110b5c2af0968bed59a7f836cdfdd2e39ba7473b6142cb7a50ae2b56a0

Download Submit
C:\Users\Admin\AppData\Local\jhl\WTSAPI32.dll
Filesize
992KB

MD5
91e929b05792730af5e1b8de6db47dbf

SHA1
5bd4e37b5b1975e52fa465ee71f79d298d17464a

SHA256
4418151eecaa7feb573001087ed9ceabaf07ec7c3376e7455a9605d052b8e1e6

SHA512
0cf084342c34ad8fd375a545da6e0a4fb60c00dbc81eff94a98e6103274f95d77007319c1dfac8923dc911e15e9b5606a1e7275acc6eb4f458d1351daaae2b0a

Download Submit
C:\Users\Admin\AppData\Local\jhl\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
C:\Users\Admin\AppData\Local\zdHcn\credui.dll
Filesize
992KB

MD5
296e68cfffbae28d9f283326cb108f38

SHA1
5b4d98e5bb162709919fb2bef16eb604676fa9e2

SHA256
1e43bdefbabbe052a7a8dcf4fba1ec2ce673c1d9665005b1a230cdb4e540fb43

SHA512
2a2876c11fe4a61af0a8097ee7342d93854d0c4b466380ac20cfa7d15e87d8c4b42a105d5f0ad2112b61b61391165fbe86456f4aa7d7c237e187e0f37a719437

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
02ad314dfa4c41279dcb64ce55a4e4df

SHA1
59fca350485bb60fd052e046dc72a37e4b60f5cd

SHA256
34740d2f9219d8327e5d6c548851a42f3211684a50cf0184ce85b59b3696dfad

SHA512
d608983f09fab4be8d4a93857c52b14adaecbf24f6bca28de6367c85b591503a915d94da71ab8267f1847218a9475b09265e4187e0f49a0dad47106d38de6b88

Download Submit
\Users\Admin\AppData\Local\9PJ\tcmsetup.exe
Filesize
15KB

MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Local\zdHcn\VaultSysUi.exe
Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
memory/1184-26-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/1184-24-0x00000000024C0000-0x00000000024C7000-memory.dmp

Filesize
28KB

Download
memory/1184-25-0x00000000774A1000-0x00000000774A2000-memory.dmp

Filesize
4KB

Download
memory/1184-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-4-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1184-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-80-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1184-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1184-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1660-92-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1660-95-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

Filesize
28KB

Download
memory/1660-98-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1736-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1736-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1736-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1868-79-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1868-78-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2460-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2460-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2460-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads