dridex | 42c3f84d09b06797c56cad933f7451ba82d1de626e48d88a57c602475057454c

General

Target

2d1656941c05b70eae56d107d83f5577_JaffaCakes118.dll
Size

991KB
MD5

2d1656941c05b70eae56d107d83f5577
SHA1

f5b3b27def84a732714206ea9dad1c4b2072ea86
SHA256

42c3f84d09b06797c56cad933f7451ba82d1de626e48d88a57c602475057454c
SHA512

26ed912364236a321553a13fe7d19c886cb9b883481a54ba1a875a03055720dcb672e0e8aba8a37c9002b5267203cb88190ee08ae4391bade92713cacc4de883
SSDEEP

24576:VVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:VV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002E70000-0x0000000002E71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msra.exep2phost.exerdpinit.exe

pid process

2456 msra.exe
2844 p2phost.exe
1484 rdpinit.exe
Loads dropped DLL 7 IoCs

Processes:

msra.exep2phost.exerdpinit.exe

pid process

1196
2456 msra.exe
1196
2844 p2phost.exe
1196
1484 rdpinit.exe
1196

pid	process
2456	msra.exe
2844	p2phost.exe
1484	rdpinit.exe

pid	process
1196
2456	msra.exe
1196
2844	p2phost.exe
1196
1484	rdpinit.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\WIZeauhNhO\\p2phost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsra.exep2phost.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2416	1196	msra.exe
PID 1196 wrote to memory of 2416	1196	msra.exe
PID 1196 wrote to memory of 2416	1196	msra.exe
PID 1196 wrote to memory of 2456	1196	msra.exe
PID 1196 wrote to memory of 2456	1196	msra.exe
PID 1196 wrote to memory of 2456	1196	msra.exe
PID 1196 wrote to memory of 2824	1196	p2phost.exe
PID 1196 wrote to memory of 2824	1196	p2phost.exe
PID 1196 wrote to memory of 2824	1196	p2phost.exe
PID 1196 wrote to memory of 2844	1196	p2phost.exe
PID 1196 wrote to memory of 2844	1196	p2phost.exe
PID 1196 wrote to memory of 2844	1196	p2phost.exe
PID 1196 wrote to memory of 1540	1196	rdpinit.exe
PID 1196 wrote to memory of 1540	1196	rdpinit.exe
PID 1196 wrote to memory of 1540	1196	rdpinit.exe
PID 1196 wrote to memory of 1484	1196	rdpinit.exe
PID 1196 wrote to memory of 1484	1196	rdpinit.exe
PID 1196 wrote to memory of 1484	1196	rdpinit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d1656941c05b70eae56d107d83f5577_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:2416

C:\Users\Admin\AppData\Local\gp8sdOpkQ\msra.exe
C:\Users\Admin\AppData\Local\gp8sdOpkQ\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2456

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Taid\p2phost.exe
C:\Users\Admin\AppData\Local\Taid\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2844

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1540

C:\Users\Admin\AppData\Local\dm9IAMtuC\rdpinit.exe
C:\Users\Admin\AppData\Local\dm9IAMtuC\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1484

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Taid\P2PCOLLAB.dll
Filesize
994KB

MD5
ccc065b963f1abb09d1f15fdea79c943

SHA1
5a078e4b26f8a1f3efed35448750a33c9d2183d5

SHA256
eed044a2290ecbc3d9ee499b189e6bc7ef482f52e6eebcce4382553a441c2ea4

SHA512
0a710b524591dd1528275f546171b3dfc0cf8a34246360a8137825b555868b2230bbe1d684a874ec186a8907b820bac6416996b895d2b2751cf49d095d2dd0d4

Download Submit
C:\Users\Admin\AppData\Local\dm9IAMtuC\WTSAPI32.dll
Filesize
993KB

MD5
796dc981bda47fc1cb093aba11df73c3

SHA1
3f095ae78a053a5ef38b9cafee703d79aba5c5c6

SHA256
d9a2a6d1cb24c2b0108f2edd5f5ac6efa5541259b82b583527cc1af5e58a070a

SHA512
ba5bb2b9578aaea36beb8351645fd02e1b4d58fd3b2e47254a7fc571056dd0719c0ad2e04f2550b9ecc711e84a4d6e0edce9b7ecfcd9744311480cbf6207404b

Download Submit
C:\Users\Admin\AppData\Local\gp8sdOpkQ\NDFAPI.DLL
Filesize
992KB

MD5
180f5be72e3badb985e769d3f5b87735

SHA1
4870e4e3d5eb5eef4553efff0e229334274a2f07

SHA256
872bffe5eaa0ffcccefa6fcfad06e3bc345d5b4640c6b52c806593fe746bb1bd

SHA512
40bd7573e91d7a12ca8182e90a1c012b55a8e7108d4c3ac30b824aa3a6b198e1977b76e42a045b9b9db064c9f0078978a1b041b7f5b94c90fcc38303904ab012

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
974B

MD5
66ad0f2c087581489241a259fc4eecf3

SHA1
b08831e2af0f185e2a77fd3ee1d374d615bf096f

SHA256
67b8ed3044b8442c5091d7e8623d7b41f12bb596e801f529e6b714b21465465a

SHA512
64ec11100135433948a752ddcd308fbdd94edc8e8afaaa7908163c3047570fb457c73adfaef4dd3439ecec0b692f4e269c3dd7e9c1f18b3b89191e5044aac6c1

Download Submit
\Users\Admin\AppData\Local\Taid\p2phost.exe
Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\dm9IAMtuC\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\gp8sdOpkQ\msra.exe
Filesize
636KB

MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
memory/1196-24-0x0000000002B10000-0x0000000002B17000-memory.dmp

Filesize
28KB

Download
memory/1196-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-28-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1196-27-0x0000000077721000-0x0000000077722000-memory.dmp

Filesize
4KB

Download
memory/1196-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-4-0x0000000077516000-0x0000000077517000-memory.dmp

Filesize
4KB

Download
memory/1196-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-5-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1196-73-0x0000000077516000-0x0000000077517000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1484-94-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1728-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1728-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1728-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2456-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2456-55-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2456-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2844-74-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2844-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads