dridex | a2463dbdef943b264b909c265284f607f024c4bbfb5a85f89c7c0543dd1f2671

General

Target

4b2042c03f8a331856122cb3f8c1029e_JaffaCakes118.dll
Size

994KB
MD5

4b2042c03f8a331856122cb3f8c1029e
SHA1

57527c2704de7f7c191b38dd75db13961755dcda
SHA256

a2463dbdef943b264b909c265284f607f024c4bbfb5a85f89c7c0543dd1f2671
SHA512

5caedd38a3b49856d5d3b941005c29e5ef312e6e1a77d3f945cfa860409f70585c455cade7d148dc66644501e31dd6e21315716a77f181d1056e8894b1f68b6e
SSDEEP

24576:zVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:zV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3516-4-0x0000000002950000-0x0000000002951000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EaseOfAccessDialog.exerdpinput.exeSystemPropertiesRemote.exe

pid process

1676 EaseOfAccessDialog.exe
4520 rdpinput.exe
656 SystemPropertiesRemote.exe
Loads dropped DLL 3 IoCs

Processes:

EaseOfAccessDialog.exerdpinput.exeSystemPropertiesRemote.exe

pid process

1676 EaseOfAccessDialog.exe
4520 rdpinput.exe
656 SystemPropertiesRemote.exe

pid	process
1676	EaseOfAccessDialog.exe
4520	rdpinput.exe
656	SystemPropertiesRemote.exe

pid	process
1676	EaseOfAccessDialog.exe
4520	rdpinput.exe
656	SystemPropertiesRemote.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\JLv\\rdpinput.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEaseOfAccessDialog.exerdpinput.exeSystemPropertiesRemote.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3516 wrote to memory of 4188	3516	EaseOfAccessDialog.exe
PID 3516 wrote to memory of 4188	3516	EaseOfAccessDialog.exe
PID 3516 wrote to memory of 1676	3516	EaseOfAccessDialog.exe
PID 3516 wrote to memory of 1676	3516	EaseOfAccessDialog.exe
PID 3516 wrote to memory of 2364	3516	rdpinput.exe
PID 3516 wrote to memory of 2364	3516	rdpinput.exe
PID 3516 wrote to memory of 4520	3516	rdpinput.exe
PID 3516 wrote to memory of 4520	3516	rdpinput.exe
PID 3516 wrote to memory of 2228	3516	SystemPropertiesRemote.exe
PID 3516 wrote to memory of 2228	3516	SystemPropertiesRemote.exe
PID 3516 wrote to memory of 656	3516	SystemPropertiesRemote.exe
PID 3516 wrote to memory of 656	3516	SystemPropertiesRemote.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b2042c03f8a331856122cb3f8c1029e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:4188

C:\Users\Admin\AppData\Local\OvO0\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\OvO0\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:2364

C:\Users\Admin\AppData\Local\cQgGH\rdpinput.exe
C:\Users\Admin\AppData\Local\cQgGH\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4520

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2228

C:\Users\Admin\AppData\Local\GlT\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\GlT\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GlT\SYSDM.CPL
Filesize
995KB

MD5
593528f6ebd87bac5374dcd5bb86a68b

SHA1
b668a0f4d51ba57b9137b3dc226a4a9593c6c338

SHA256
a53675e97148e3f521bff998b9aab02610f543a03fdf6e92a345159768e346f4

SHA512
f72a8f004edb7eb01b3c39aaa418c4df2a63d01e3ff5b64043e24dbf1ac0ee19c848de0c965efe3435ad7b2dfec210e228ad93d7b36c0f011b1e2ac3ab89f1de

Download Submit
C:\Users\Admin\AppData\Local\GlT\SystemPropertiesRemote.exe
Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\OvO0\DUser.dll
Filesize
999KB

MD5
5c9f5fc68d9fdf65f4f80826b74d8b32

SHA1
5a288829775bb95566f47822379c1aa1fd2511bc

SHA256
8062ffdc7b670e00297446f5aef2c5447677f2316d093a46b95bb1a9afee1587

SHA512
07f45762bfcc0af93eddeb69cf9def576d66e89caaa20031232b3646c39ddf272ed741bd40175640fb1bb31d45006e8f8d70c7f9ef3d96a0e26fdc64b8a0ef3c

Download Submit
C:\Users\Admin\AppData\Local\OvO0\EaseOfAccessDialog.exe
Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\cQgGH\WTSAPI32.dll
Filesize
997KB

MD5
3863e5c998de3aea78c1a0bbfbd8316a

SHA1
0224b2955abe1e795f542b5dbc292c34e37c0533

SHA256
e200459060b65a957a5adfd0c4fd49da62adc52d27a819b98c56a8937f623b2c

SHA512
09c7ac49833b1031e58e5018d438b215f3f30d355545b4e92934539b265146706357c9fc1e22a367e1955116c1b6d57cee79426a02b8d894638e56fc8ac36c39

Download Submit
C:\Users\Admin\AppData\Local\cQgGH\rdpinput.exe
Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
Filesize
1KB

MD5
d80464f3e5b40ae04cbec177188fc690

SHA1
3129ea6633b4e4cb874122f0bd86ca3ccbce5d60

SHA256
526f96d0d87dca59b2b73315bc8f9ac64efcfe1d413ed25353b8c9a5ec7fcd82

SHA512
30659e4cd0b614e3bc6f1589642bb7b43e7fae9aef059d9f85a6a6f294473d1e75642ec02a52677da73f818398c8afe2206f187e35999fb8ba3e10d721aa0fd2

Download Submit
memory/656-85-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/656-82-0x000001ED178A0000-0x000001ED178A7000-memory.dmp

Filesize
28KB

Download
memory/1676-51-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download
memory/1676-45-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download
memory/1676-48-0x00000239203D0000-0x00000239203D7000-memory.dmp

Filesize
28KB

Download
memory/3516-23-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-24-0x00007FF8CF19A000-0x00007FF8CF19B000-memory.dmp

Filesize
4KB

Download
memory/3516-8-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-7-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-35-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-4-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3516-10-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-11-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-12-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-14-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-6-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-9-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-25-0x0000000002930000-0x0000000002937000-memory.dmp

Filesize
28KB

Download
memory/3516-13-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3516-26-0x00007FF8CFF90000-0x00007FF8CFFA0000-memory.dmp

Filesize
64KB

Download
memory/3964-0-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3964-38-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3964-3-0x000001FDF2BC0000-0x000001FDF2BC7000-memory.dmp

Filesize
28KB

Download
memory/4520-68-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/4520-65-0x00000224F01B0000-0x00000224F01B7000-memory.dmp

Filesize
28KB

Download
memory/4520-62-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads