dridex | 11b81dc6921307de061b316f6f18bedd1c7dc8301e78e7d7b43ae64b90f3b9e0

General

Target

1e677cd3350d2618878c7bf997c81d86_JaffaCakes118.dll
Size

1.2MB
MD5

1e677cd3350d2618878c7bf997c81d86
SHA1

1d30fba14ba2e56ba95d8a475ec7df48697dba24
SHA256

11b81dc6921307de061b316f6f18bedd1c7dc8301e78e7d7b43ae64b90f3b9e0
SHA512

ab751499a5cc3b05b151a6fc113ed44a641f907d7a17176c9e6cb4cb4799f09bd972c8b3df70e94722a813bd8f1e775010ef02037f633834dd68e2606a282594
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

fveprompt.exeDeviceDisplayObjectProvider.exerdpclip.exe

pid process

2740 fveprompt.exe
2996 DeviceDisplayObjectProvider.exe
2964 rdpclip.exe
Loads dropped DLL 7 IoCs

Processes:

fveprompt.exeDeviceDisplayObjectProvider.exerdpclip.exe

pid process

1196
2740 fveprompt.exe
1196
2996 DeviceDisplayObjectProvider.exe
1196
2964 rdpclip.exe
1196

pid	process
2740	fveprompt.exe
2996	DeviceDisplayObjectProvider.exe
2964	rdpclip.exe

pid	process
1196
2740	fveprompt.exe
1196
2996	DeviceDisplayObjectProvider.exe
1196
2964	rdpclip.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\XwFIMzuG\\DeviceDisplayObjectProvider.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DeviceDisplayObjectProvider.exerdpclip.exerundll32.exefveprompt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3008	rundll32.exe
3008	rundll32.exe
3008	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 3020	1196	fveprompt.exe
PID 1196 wrote to memory of 3020	1196	fveprompt.exe
PID 1196 wrote to memory of 3020	1196	fveprompt.exe
PID 1196 wrote to memory of 2740	1196	fveprompt.exe
PID 1196 wrote to memory of 2740	1196	fveprompt.exe
PID 1196 wrote to memory of 2740	1196	fveprompt.exe
PID 1196 wrote to memory of 1152	1196	DeviceDisplayObjectProvider.exe
PID 1196 wrote to memory of 1152	1196	DeviceDisplayObjectProvider.exe
PID 1196 wrote to memory of 1152	1196	DeviceDisplayObjectProvider.exe
PID 1196 wrote to memory of 2996	1196	DeviceDisplayObjectProvider.exe
PID 1196 wrote to memory of 2996	1196	DeviceDisplayObjectProvider.exe
PID 1196 wrote to memory of 2996	1196	DeviceDisplayObjectProvider.exe
PID 1196 wrote to memory of 2916	1196	rdpclip.exe
PID 1196 wrote to memory of 2916	1196	rdpclip.exe
PID 1196 wrote to memory of 2916	1196	rdpclip.exe
PID 1196 wrote to memory of 2964	1196	rdpclip.exe
PID 1196 wrote to memory of 2964	1196	rdpclip.exe
PID 1196 wrote to memory of 2964	1196	rdpclip.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e677cd3350d2618878c7bf997c81d86_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\mGz1MHNc\fveprompt.exe
C:\Users\Admin\AppData\Local\mGz1MHNc\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2740

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\JfWyaIjE8\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\JfWyaIjE8\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2996

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2916

C:\Users\Admin\AppData\Local\vNfomMm\rdpclip.exe
C:\Users\Admin\AppData\Local\vNfomMm\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2964

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JfWyaIjE8\DeviceDisplayObjectProvider.exe
Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\JfWyaIjE8\XmlLite.dll
Filesize
1.2MB

MD5
035ab22ba3c3452de666d221a5680e83

SHA1
c9c84be2f7d91d29b737415e39c73200d7240313

SHA256
3e20a1e943f14529dd42dd1af71f6181e9f5f3a5f893f20dbd67f2571a72c649

SHA512
5c87cb20b601685c7331b460e495e81a2815a1aceb3c042e0137b141be0adaa04efa10ac3ee13c32e1b81c8d6ef12f81ea3e9cd3a02a7da3bc5a41d579bb4640

Download Submit
C:\Users\Admin\AppData\Local\mGz1MHNc\slc.dll
Filesize
1.2MB

MD5
317f6a5a280e70bfd986485e21a1651d

SHA1
8d5bedd68447bb2a9ce23f16e70622babfc40a9b

SHA256
42a33eb0670046281ef6500882cce9ae6e17ba8ae645e98d2645e7ec68d3b695

SHA512
3c860f20f676d6ebc3d8bfa5fc1c6b950192ae9398758d2df62624c392a2f1c7abba7fb749549dda6a19bf0e6600d975e01b0f1e3949239ae60804c7c0b1c78e

Download Submit
C:\Users\Admin\AppData\Local\vNfomMm\WTSAPI32.dll
Filesize
1.2MB

MD5
be119a32617fd27460e1ec5453046ae4

SHA1
c7c6d8ff45422cef10c5db25233c646da0d3d363

SHA256
a8f8eb615375dba28e18f80f885e0369afeb770f5b8ed76e547018a985ad456d

SHA512
6cc214f1cfa522873a89faa0e99c3711007f7a31807e283ffe433a901526a3f30593375e32c7a8f3ac61f44f35d50c0ea1aeab4eebfee5ff9f3d8d082985e343

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
1KB

MD5
e7df3c6276af46b1b70fae9ab44c104c

SHA1
668b9551c4e11507ef42e3208d178705358a431a

SHA256
181f4d723b080f62e182c1bfc2e2660d54f67d08bace7582123180c1dbfa33b9

SHA512
b2f66ced8a9fd5fc9222cf7d1f189e67e9ac1cd9ee6ecacde8b79449e7fe09211b518215d3a99d2fd078746faa6f7282b2e4f73a3acb096d0b147b8975355566

Download Submit
\Users\Admin\AppData\Local\mGz1MHNc\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\vNfomMm\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
memory/1196-27-0x0000000077311000-0x0000000077312000-memory.dmp

Filesize
4KB

Download
memory/1196-65-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1196-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-4-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1196-28-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1196-38-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-37-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1196-25-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-26-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1196-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1196-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2740-60-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2740-55-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2740-54-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2964-96-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2996-76-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/2996-79-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3008-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3008-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/3008-0-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads