dridex | dea896300dcba7e6727fcb52a9e07abaea0ec9524261fe9c8b079c8a9dff0b58

General

Target

3646d96c51ae392630a7ac3d4e79d19e_JaffaCakes118.dll
Size

1.2MB
MD5

3646d96c51ae392630a7ac3d4e79d19e
SHA1

d352da9cffdc69418eeb3c6fd580a746e52a67cc
SHA256

dea896300dcba7e6727fcb52a9e07abaea0ec9524261fe9c8b079c8a9dff0b58
SHA512

0d825794a073c1f935a3b57788d7a30334ab64828226bb5cdbebfb1bc367947b983ad731c909eadf50527fd8e8f945b43b1e5362bb3caf35c81f7661728eb8bb
SSDEEP

24576:1VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:1V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3540-4-0x0000000002540000-0x0000000002541000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

lpksetup.exemsra.exerecdisc.exe

pid process

4576 lpksetup.exe
1580 msra.exe
4636 recdisc.exe
Loads dropped DLL 3 IoCs

Processes:

lpksetup.exemsra.exerecdisc.exe

pid process

4576 lpksetup.exe
1580 msra.exe
4636 recdisc.exe

pid	process
4576	lpksetup.exe
1580	msra.exe
4636	recdisc.exe

pid	process
4576	lpksetup.exe
1580	msra.exe
4636	recdisc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ovnmkkvrgnxhq = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\FGtjlcGO8\\msra.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exelpksetup.exemsra.exerecdisc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3540

pid	process
3540

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3540 wrote to memory of 1124	3540	lpksetup.exe
PID 3540 wrote to memory of 1124	3540	lpksetup.exe
PID 3540 wrote to memory of 4576	3540	lpksetup.exe
PID 3540 wrote to memory of 4576	3540	lpksetup.exe
PID 3540 wrote to memory of 5036	3540	msra.exe
PID 3540 wrote to memory of 5036	3540	msra.exe
PID 3540 wrote to memory of 1580	3540	msra.exe
PID 3540 wrote to memory of 1580	3540	msra.exe
PID 3540 wrote to memory of 3744	3540	recdisc.exe
PID 3540 wrote to memory of 3744	3540	recdisc.exe
PID 3540 wrote to memory of 4636	3540	recdisc.exe
PID 3540 wrote to memory of 4636	3540	recdisc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3646d96c51ae392630a7ac3d4e79d19e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1124

C:\Users\Admin\AppData\Local\hBPq\lpksetup.exe
C:\Users\Admin\AppData\Local\hBPq\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4576

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:5036

C:\Users\Admin\AppData\Local\iMW9S\msra.exe
C:\Users\Admin\AppData\Local\iMW9S\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1580

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:3744

C:\Users\Admin\AppData\Local\xFO\recdisc.exe
C:\Users\Admin\AppData\Local\xFO\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hBPq\dpx.dll
Filesize
1.2MB

MD5
6088a6d003ad1e5b38dd2897e4c531fc

SHA1
15c12952d896c6be2f57d79eaf05652197577def

SHA256
8c6c1998ba944db256362864b7481343ef45a3367e4168c9809709ccd30980a6

SHA512
174a9ae0d606ba3d00c5ea9f2b4c86661d6949d21cf9ddbf18129e8f4341781adfc00a3c3c45a00a1eccdcfc4c314e89e46b4ae86a42a63369fbb5400750429e

Download Submit
C:\Users\Admin\AppData\Local\hBPq\lpksetup.exe
Filesize
728KB

MD5
c75516a32e0aea02a184074d55d1a997

SHA1
f9396946c078f8b0f28e3a6e21a97eeece31d13f

SHA256
cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

SHA512
92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

Download Submit
C:\Users\Admin\AppData\Local\iMW9S\NDFAPI.DLL
Filesize
1.2MB

MD5
dcef191d65844012ef536c0fef3ba54d

SHA1
13bb395e6586919b74918fed92ee2e41d36b7fca

SHA256
b3901ad8d3b801ffc180c9fbc19037a72d2e24520917073a58ce877302d579ea

SHA512
14e9f2e8e93b38cf72d760f315e589ee5a6a4209f1174080782c5fa8bfa6181706598d24d1c2f47cad1536598b6a52f36a9fe588c1dfd7bb4c2f0b03856bbe94

Download Submit
C:\Users\Admin\AppData\Local\iMW9S\msra.exe
Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Local\xFO\ReAgent.dll
Filesize
1.2MB

MD5
ade6cc56865d067f96add64cc49a480c

SHA1
3c57430b1f3fde825a9b80d9b3ef0963acaa26cd

SHA256
75d949c1c4516810b05bd2f49f8876762472d18f050d6e7265821b27c621eed1

SHA512
07af21a0d9d8ac1429742b1c8062d2bc21245d4a4f4d4b65eb9ce0e35d3b26c4d669400537d7d2cfbeac9085e624b217fbabbd548b61797d8dd396cd66e505f8

Download Submit
C:\Users\Admin\AppData\Local\xFO\recdisc.exe
Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ymfrpxarx.lnk
Filesize
1KB

MD5
0661ddfbde58114da6902b5f7cd822b2

SHA1
cb6b070be0886d221b420b7690058e19e3b3e154

SHA256
5dade78ea392915d7e96dce06a56dce2ef3c91864e6dd67c2a690678d754f0cd

SHA512
09c0bb5ced2c74e814823ed3d185fdf82a6fe01146fe038a5fdce1b1ecd2be1bb405b6c4038704f86e9e52e9447f447fb2286fc9482d3966d421f89893be0692

Download Submit
memory/1580-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1580-66-0x0000020EB4770000-0x0000020EB4777000-memory.dmp

Filesize
28KB

Download
memory/3540-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-33-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download
memory/3540-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-6-0x00007FFDA9E1A000-0x00007FFDA9E1B000-memory.dmp

Filesize
4KB

Download
memory/3540-36-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-4-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3540-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3540-34-0x00007FFDABB70000-0x00007FFDABB80000-memory.dmp

Filesize
64KB

Download
memory/3540-25-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4064-0-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4064-39-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4064-3-0x000002000ACF0000-0x000002000ACF7000-memory.dmp

Filesize
28KB

Download
memory/4576-52-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4576-46-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4576-49-0x00000139B3060000-0x00000139B3067000-memory.dmp

Filesize
28KB

Download
memory/4636-83-0x000001B470FD0000-0x000001B470FD7000-memory.dmp

Filesize
28KB

Download
memory/4636-86-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads