dridex | 04c81016fa21625303306f3574fc1294105ef223c7dc498510819681eedd52f5

General

Target

25d810dc0c2458141f99fc9e784a2906_JaffaCakes118.dll
Size

987KB
MD5

25d810dc0c2458141f99fc9e784a2906
SHA1

69fdff77d5a20cc2bc1aab7ded817adb5196aff2
SHA256

04c81016fa21625303306f3574fc1294105ef223c7dc498510819681eedd52f5
SHA512

666b0a3f3f6594e49e79c858961828f501ffb6514b2b403e48d908a2f7d47729c97864fb844b1b71727b434ef787178d9ee4d8eb3ec7a5a531f24f3e75831a05
SSDEEP

24576:6VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8ct:6V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3544-4-0x00000000027F0000-0x00000000027F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DevicePairingWizard.exerdpinput.exeomadmclient.exe

pid process

4664 DevicePairingWizard.exe
3248 rdpinput.exe
2340 omadmclient.exe
Loads dropped DLL 3 IoCs

Processes:

DevicePairingWizard.exerdpinput.exeomadmclient.exe

pid process

4664 DevicePairingWizard.exe
3248 rdpinput.exe
2340 omadmclient.exe

pid	process
4664	DevicePairingWizard.exe
3248	rdpinput.exe
2340	omadmclient.exe

pid	process
4664	DevicePairingWizard.exe
3248	rdpinput.exe
2340	omadmclient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\cD\\rdpinput.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

omadmclient.exerundll32.exeDevicePairingWizard.exerdpinput.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
468	rundll32.exe
468	rundll32.exe
468	rundll32.exe
468	rundll32.exe
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3544 wrote to memory of 2932	3544	DevicePairingWizard.exe
PID 3544 wrote to memory of 2932	3544	DevicePairingWizard.exe
PID 3544 wrote to memory of 4664	3544	DevicePairingWizard.exe
PID 3544 wrote to memory of 4664	3544	DevicePairingWizard.exe
PID 3544 wrote to memory of 1556	3544	rdpinput.exe
PID 3544 wrote to memory of 1556	3544	rdpinput.exe
PID 3544 wrote to memory of 3248	3544	rdpinput.exe
PID 3544 wrote to memory of 3248	3544	rdpinput.exe
PID 3544 wrote to memory of 4832	3544	omadmclient.exe
PID 3544 wrote to memory of 4832	3544	omadmclient.exe
PID 3544 wrote to memory of 2340	3544	omadmclient.exe
PID 3544 wrote to memory of 2340	3544	omadmclient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d810dc0c2458141f99fc9e784a2906_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2932

C:\Users\Admin\AppData\Local\AvsdQPj\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\AvsdQPj\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4664

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:1556

C:\Users\Admin\AppData\Local\SOr5\rdpinput.exe
C:\Users\Admin\AppData\Local\SOr5\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3248

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:4832

C:\Users\Admin\AppData\Local\wxE\omadmclient.exe
C:\Users\Admin\AppData\Local\wxE\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AvsdQPj\DevicePairingWizard.exe
Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\AvsdQPj\MFC42u.dll
Filesize
1014KB

MD5
5f08396c27b4fe0f1054beaf8b300869

SHA1
0b46b631f2686d052fbd2ddb0187b0d10ed73ced

SHA256
234174f18a557c94f124ab389099e1e30a8d75ce1baea0576aad68a3f4d6e086

SHA512
4485d541decf3a4223db57ea1052a0b5043dfd612263daf5f75fa1b2447152bd911e97af160bf9c44f71dfae6e65589508a14f0e8d93f7944069e973408b5886

Download Submit
C:\Users\Admin\AppData\Local\SOr5\WINSTA.dll
Filesize
994KB

MD5
f3b4cc82edda2a7f53390e37df4218d5

SHA1
d6ff6d02780fc4ffa45ee96ae49c83eaeb0ab747

SHA256
fc14ba66a7c80e55a3859a37bd5b2ee15942d1318b7da93431dbd50465a69600

SHA512
3b642781e558a43dd80760fafba610cd9a26b484f92f437be268d5c3e91e6fcd6b535c6fb2e17f4ab2578311606523a9dee47c9b5a2fd91279d26b2bfbde0092

Download Submit
C:\Users\Admin\AppData\Local\SOr5\rdpinput.exe
Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Local\wxE\XmlLite.dll
Filesize
987KB

MD5
20aed44f0163efd3080b516dba2d1756

SHA1
29164485a934d82ec4cb1de45c49286a40f72136

SHA256
aa4739f53ab212b4c96fa45509653c032885836801261d4745a4bd6a0a2cb732

SHA512
bd9140f11d15acc9432bb9ecc89922185f1529631a101b25348c4c587f90520897e73b89cc375707267d6cb7f0bfc15c5a24fe3e81128940de5cecef24ab4f5c

Download Submit
C:\Users\Admin\AppData\Local\wxE\omadmclient.exe
Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
Filesize
1KB

MD5
b2aa1dd65c1d98f1d26d0679cb83bda1

SHA1
03b36f934b5eb2253317a26371932da5a3ea63c9

SHA256
10f4915f0829bffd7227c9fdd9374850682ba866776f54df9040793ccbe9d926

SHA512
77ddd5e9eb48960bc7a0b087e503f5f9d373339a7ea4e32cb479004ffbfe87ce1161ce540149390c1cdacd259d31b67e84ccc62aca4dbb7dc8ff28ea655d4798

Download Submit
memory/468-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/468-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/468-3-0x00000280227E0000-0x00000280227E7000-memory.dmp

Filesize
28KB

Download
memory/2340-81-0x000001E358BF0000-0x000001E358BF7000-memory.dmp

Filesize
28KB

Download
memory/2340-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2340-78-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3248-64-0x00000246F1F00000-0x00000246F1F07000-memory.dmp

Filesize
28KB

Download
memory/3248-67-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3248-61-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3544-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-6-0x00007FFA1D6DA000-0x00007FFA1D6DB000-memory.dmp

Filesize
4KB

Download
memory/3544-4-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3544-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-32-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/3544-34-0x00007FFA1DB50000-0x00007FFA1DB60000-memory.dmp

Filesize
64KB

Download
memory/3544-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-33-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4664-50-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/4664-45-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/4664-44-0x0000021A33570000-0x0000021A33577000-memory.dmp

Filesize
28KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads