dridex | ed410f2cdffde66b642818f30bae9563ae0d678263cff6a0d6237b71d91ab111

General

Target

276b0106eb036e96dae54a0c93d51808_JaffaCakes118.dll
Size

992KB
MD5

276b0106eb036e96dae54a0c93d51808
SHA1

c08355f1e929d9992b848c511e8073ba89ec32cd
SHA256

ed410f2cdffde66b642818f30bae9563ae0d678263cff6a0d6237b71d91ab111
SHA512

aba4cea7cba6d2fb4fff79e088b0978324644f1435e2777e9fe201bbff748070a33a7370d4f7af6d9b5fafc3b9f539f78de05be219549e2e2fac118bbc1164d2
SSDEEP

24576:NVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:NV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1176-5-0x0000000002E30000-0x0000000002E31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msra.exetabcal.exerdpinit.exe

pid process

2428 msra.exe
2728 tabcal.exe
1592 rdpinit.exe
Loads dropped DLL 7 IoCs

Processes:

msra.exetabcal.exerdpinit.exe

pid process

1176
2428 msra.exe
1176
2728 tabcal.exe
1176
1592 rdpinit.exe
1176

pid	process
2428	msra.exe
2728	tabcal.exe
1592	rdpinit.exe

pid	process
1176
2428	msra.exe
1176
2728	tabcal.exe
1176
1592	rdpinit.exe
1176

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\thd\\tabcal.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsra.exetabcal.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1176 wrote to memory of 2412	1176	msra.exe
PID 1176 wrote to memory of 2412	1176	msra.exe
PID 1176 wrote to memory of 2412	1176	msra.exe
PID 1176 wrote to memory of 2428	1176	msra.exe
PID 1176 wrote to memory of 2428	1176	msra.exe
PID 1176 wrote to memory of 2428	1176	msra.exe
PID 1176 wrote to memory of 2508	1176	tabcal.exe
PID 1176 wrote to memory of 2508	1176	tabcal.exe
PID 1176 wrote to memory of 2508	1176	tabcal.exe
PID 1176 wrote to memory of 2728	1176	tabcal.exe
PID 1176 wrote to memory of 2728	1176	tabcal.exe
PID 1176 wrote to memory of 2728	1176	tabcal.exe
PID 1176 wrote to memory of 1496	1176	rdpinit.exe
PID 1176 wrote to memory of 1496	1176	rdpinit.exe
PID 1176 wrote to memory of 1496	1176	rdpinit.exe
PID 1176 wrote to memory of 1592	1176	rdpinit.exe
PID 1176 wrote to memory of 1592	1176	rdpinit.exe
PID 1176 wrote to memory of 1592	1176	rdpinit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\276b0106eb036e96dae54a0c93d51808_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:2412

C:\Users\Admin\AppData\Local\BjCbDR\msra.exe
C:\Users\Admin\AppData\Local\BjCbDR\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2428

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2508

C:\Users\Admin\AppData\Local\NKKmP\tabcal.exe
C:\Users\Admin\AppData\Local\NKKmP\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2728

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1496

C:\Users\Admin\AppData\Local\4jWqUJq\rdpinit.exe
C:\Users\Admin\AppData\Local\4jWqUJq\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1592

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4jWqUJq\slc.dll
Filesize
994KB

MD5
553cee75a02ea6b7a57799cd408138da

SHA1
55918a0bbb8a1943b49110fdc9976c5cd430fb7c

SHA256
e172980b1366f1f13cec93d8e00d1923b76d2b17e42c70ac91ab1fb71e328103

SHA512
bef6c77ff9b57b23056a9aa1cda7ef5ea789bf348944aa67b0b20a4148b0b2c0a716ddcb202a584c320426b8260accf0f8b3f1368622237d4329cd02fe3905f6

Download Submit
C:\Users\Admin\AppData\Local\NKKmP\HID.DLL
Filesize
994KB

MD5
3233e27a0c2a5088444f18629a7b9b0d

SHA1
eeebb831626e7072493ed73bc2ded8f165cf2cb2

SHA256
c3b6ff6204d8ba8dabb768f163796acab9ab90e9ccdfa1baff81fa267aa97fd1

SHA512
a22a338f5d22057d0055fd22151e4c549f95addf926d8bc65e3e9f43e3bd627e9ea9bc3b9328b8990b8fff62bb48f9e76692f042819d7955be8321d9ca05896a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
Filesize
1KB

MD5
dd85cf22900398cbaf0eab359b3ded97

SHA1
c576a29ce1ffee5973333a36168be964937f6cb6

SHA256
5f5db68ae67830675a5a196dd31a2d987ae2d840aec3646b4d9b093861377b51

SHA512
1df8d89edb0df938273c843de71db4000a074b979a3edaad018ecc105850b8c6390e79c58f060b83d5bb68e03a1663143f60efde294036528ac386cc0d379fc1

Download Submit
\Users\Admin\AppData\Local\4jWqUJq\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\BjCbDR\UxTheme.dll
Filesize
995KB

MD5
221152e2f3160858caa5d9dbedf543d0

SHA1
2eb13034a97f2c25c4ead34636ea9c5605eebc1f

SHA256
deebd7cbc7cd3a24ccac4b2f41a5acf8075657c7f76728a75c6a4c71853c695f

SHA512
538174114943a15aa7cccf99354f8f789678fdc23dfa0e67e75d63e63dec5ab9e6412a92366fb9c2e2b28149238564ad5b6127ac180b61cfd5a595b1f621bb7d

Download Submit
\Users\Admin\AppData\Local\BjCbDR\msra.exe
Filesize
636KB

MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Local\NKKmP\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
memory/1176-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-16-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-25-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-27-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1176-26-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

Filesize
4KB

Download
memory/1176-36-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-37-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-4-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

Filesize
4KB

Download
memory/1176-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/1176-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1176-15-0x0000000002E40000-0x0000000002E47000-memory.dmp

Filesize
28KB

Download
memory/1176-64-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

Filesize
4KB

Download
memory/1592-90-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1592-96-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1968-45-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1968-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1968-1-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2428-59-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2428-54-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2428-53-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2728-78-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2728-75-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads