dridex | bcaa8df8f923d15444b1f1e63808c8b39ca0ac30d6c1288c294b5273f1a95387

General

Target

1eeb67c0b2313b3e4bc8acd49939c136_JaffaCakes118.dll
Size

986KB
MD5

1eeb67c0b2313b3e4bc8acd49939c136
SHA1

e94a3953ad29be223a423514e0fe230c65999e04
SHA256

bcaa8df8f923d15444b1f1e63808c8b39ca0ac30d6c1288c294b5273f1a95387
SHA512

b57a8252fd821cad9ea48f431ceb20da7a6be24530459096a5998e7cb16559372fd8942e54a64ebadd58e2765e843024e808bfe32eec5897c42c92caaa9e1533
SSDEEP

24576:+VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:+V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1376-5-0x0000000002970000-0x0000000002971000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

raserver.exeDxpserver.exeNetplwiz.exe

pid process

2476 raserver.exe
2796 Dxpserver.exe
2508 Netplwiz.exe
Loads dropped DLL 7 IoCs

Processes:

raserver.exeDxpserver.exeNetplwiz.exe

pid process

1376
2476 raserver.exe
1376
2796 Dxpserver.exe
1376
2508 Netplwiz.exe
1376

pid	process
2476	raserver.exe
2796	Dxpserver.exe
2508	Netplwiz.exe

pid	process
1376
2476	raserver.exe
1376
2796	Dxpserver.exe
1376
2508	Netplwiz.exe
1376

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\5OKWAF~1\\DXPSER~1.EXE"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

raserver.exeDxpserver.exeNetplwiz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1276	regsvr32.exe
1276	regsvr32.exe
1276	regsvr32.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1376 wrote to memory of 2732	1376	raserver.exe
PID 1376 wrote to memory of 2732	1376	raserver.exe
PID 1376 wrote to memory of 2732	1376	raserver.exe
PID 1376 wrote to memory of 2476	1376	raserver.exe
PID 1376 wrote to memory of 2476	1376	raserver.exe
PID 1376 wrote to memory of 2476	1376	raserver.exe
PID 1376 wrote to memory of 2572	1376	Dxpserver.exe
PID 1376 wrote to memory of 2572	1376	Dxpserver.exe
PID 1376 wrote to memory of 2572	1376	Dxpserver.exe
PID 1376 wrote to memory of 2796	1376	Dxpserver.exe
PID 1376 wrote to memory of 2796	1376	Dxpserver.exe
PID 1376 wrote to memory of 2796	1376	Dxpserver.exe
PID 1376 wrote to memory of 2764	1376	Netplwiz.exe
PID 1376 wrote to memory of 2764	1376	Netplwiz.exe
PID 1376 wrote to memory of 2764	1376	Netplwiz.exe
PID 1376 wrote to memory of 2508	1376	Netplwiz.exe
PID 1376 wrote to memory of 2508	1376	Netplwiz.exe
PID 1376 wrote to memory of 2508	1376	Netplwiz.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1eeb67c0b2313b3e4bc8acd49939c136_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2732

C:\Users\Admin\AppData\Local\cmV6xIuEz\raserver.exe
C:\Users\Admin\AppData\Local\cmV6xIuEz\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2476

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2572

C:\Users\Admin\AppData\Local\4CfWkb\Dxpserver.exe
C:\Users\Admin\AppData\Local\4CfWkb\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2796

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\ke1aY\Netplwiz.exe
C:\Users\Admin\AppData\Local\ke1aY\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2508

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4CfWkb\dwmapi.dll
Filesize
987KB

MD5
14f208945405f4986fad8195e47de289

SHA1
2b4ce4300ff53f9feb5a6897ebf855e0b32ac1e4

SHA256
3388c05f9c6667b537be3200d2ee526cc209ea7ca191d1cb7719fe2bdaa985c1

SHA512
c0fd081547e0482a1a17b95e1fd48233826bacf33942cc955b24605d835e62badb9c8a7b4f38a5e509a857c7aa135f899b6b2b3e866110382c626b816187b4cb

Download Submit
C:\Users\Admin\AppData\Local\cmV6xIuEz\WTSAPI32.dll
Filesize
988KB

MD5
bc6b89235e5f97aef85f6ce7600ce24f

SHA1
82198a52ce6181975f80302ce82b9e0543dcabc7

SHA256
4b3cca741decb989645471011a6a556aa02c930de8a97edeb156a1ddba42f6e5

SHA512
ad541e5223d3dee42a6c83a2cde10380159c82fdbcf9c077e3d15396934137066c4de6c0f7a9c8cfa4d450ac538f3c104e7c7a2a93dc872533561e72a4078fcf

Download Submit
C:\Users\Admin\AppData\Local\ke1aY\NETPLWIZ.dll
Filesize
986KB

MD5
c3a9da0e0fbcfc65cb3494ed3c053776

SHA1
209d1fa3eb728a3b641a0686e8798e48feb214a1

SHA256
02cc35af5dbea691c62d0e6f622570310fd859db5d23654b54618c9fc341eaf5

SHA512
a5f629129495cfc381736d877245f5b64b08ec63599d95378de442c5baf31cd6d1bfbe338889c3035385f2075af76831fc1fcd0cdac095c39685d1ec6b8208b5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
Filesize
1KB

MD5
383e4ac26cb9639d964f4f8c17db8393

SHA1
0ab51d4d1bd465b37c7d0f347c3081bee3d3017e

SHA256
c388bb268c49ec56bd3cf88031bed7fee41603335263dac28a4185857e23239d

SHA512
4d4c06ccaa0a0b39e32e02169afc8fb8dbc1465b240c2af5f346c701bea723481bd15a82117a253faceb98b89999da93a50fe04131bea2f583e829b264b29454

Download Submit
\Users\Admin\AppData\Local\4CfWkb\Dxpserver.exe
Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\cmV6xIuEz\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\ke1aY\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
memory/1276-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1276-3-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/1276-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-70-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1376-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-24-0x0000000002950000-0x0000000002957000-memory.dmp

Filesize
28KB

Download
memory/1376-26-0x00000000773B0000-0x00000000773B2000-memory.dmp

Filesize
8KB

Download
memory/1376-25-0x0000000077221000-0x0000000077222000-memory.dmp

Filesize
4KB

Download
memory/1376-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-4-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1376-5-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1376-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1376-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2476-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2476-55-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2476-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2508-94-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2796-71-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2796-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads