dridex | 6ee00d8356339095b8dcc714a2b6c5bc438ca13a0b292963918b2702cdd5e75a

General

Target

5d854e90c9ce59c4a156aa7818aec934_JaffaCakes118.dll
Size

1.4MB
MD5

5d854e90c9ce59c4a156aa7818aec934
SHA1

8ea2082c93e1bd69b654750b324ca6441874231b
SHA256

6ee00d8356339095b8dcc714a2b6c5bc438ca13a0b292963918b2702cdd5e75a
SHA512

7d39f53fa199f5ed6a440d3418b489a268884e355e012b132d25914dbb52d586d048f298a5bde3749661006a050ec1330adb2ecf6819dcb22a640892f7786806
SSDEEP

24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:a9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1124-5-0x0000000002D40000-0x0000000002D41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Utilman.exerstrui.exemblctr.exe

pid process

2476 Utilman.exe
1636 rstrui.exe
1564 mblctr.exe
Loads dropped DLL 7 IoCs

Processes:

Utilman.exerstrui.exemblctr.exe

pid process

1124
2476 Utilman.exe
1124
1636 rstrui.exe
1124
1564 mblctr.exe
1124

pid	process
2476	Utilman.exe
1636	rstrui.exe
1564	mblctr.exe

pid	process
1124
2476	Utilman.exe
1124
1636	rstrui.exe
1124
1564	mblctr.exe
1124

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\PVVIAU~1\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeUtilman.exerstrui.exemblctr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2108	rundll32.exe
2108	rundll32.exe
2108	rundll32.exe
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1124 wrote to memory of 2608	1124	Utilman.exe
PID 1124 wrote to memory of 2608	1124	Utilman.exe
PID 1124 wrote to memory of 2608	1124	Utilman.exe
PID 1124 wrote to memory of 2476	1124	Utilman.exe
PID 1124 wrote to memory of 2476	1124	Utilman.exe
PID 1124 wrote to memory of 2476	1124	Utilman.exe
PID 1124 wrote to memory of 1572	1124	rstrui.exe
PID 1124 wrote to memory of 1572	1124	rstrui.exe
PID 1124 wrote to memory of 1572	1124	rstrui.exe
PID 1124 wrote to memory of 1636	1124	rstrui.exe
PID 1124 wrote to memory of 1636	1124	rstrui.exe
PID 1124 wrote to memory of 1636	1124	rstrui.exe
PID 1124 wrote to memory of 2748	1124	mblctr.exe
PID 1124 wrote to memory of 2748	1124	mblctr.exe
PID 1124 wrote to memory of 2748	1124	mblctr.exe
PID 1124 wrote to memory of 1564	1124	mblctr.exe
PID 1124 wrote to memory of 1564	1124	mblctr.exe
PID 1124 wrote to memory of 1564	1124	mblctr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d854e90c9ce59c4a156aa7818aec934_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\63or\Utilman.exe
C:\Users\Admin\AppData\Local\63or\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2476

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:1572

C:\Users\Admin\AppData\Local\ZvOR7Ui\rstrui.exe
C:\Users\Admin\AppData\Local\ZvOR7Ui\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1636

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:2748

C:\Users\Admin\AppData\Local\e8sz\mblctr.exe
C:\Users\Admin\AppData\Local\e8sz\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\63or\DUI70.dll

Filesize
1.6MB

MD5
c3ed61544fc63cff52bf97cb17ffa737

SHA1
1ff6949f6d5028c58e5a932235fd9bf5be5293f3

SHA256
e0cd56ef994028638fb35921341164fee47c8895fbec3bdb1ae97b3b07b98ef7

SHA512
94525e23b70ce1c0c6efe148284888e6a55f1d4de82b96a9d06a7d86292bc1d30b3475cdf5c36689fa56ce89f437706b97377b2484a76f372776f4e1dcd1efb2

Download Submit
C:\Users\Admin\AppData\Local\ZvOR7Ui\SRCORE.dll

Filesize
1.4MB

MD5
25afd011b02ad5893dab23cdb45138a3

SHA1
6ef80f4a1a10071483e8524e79229e80f4f0b288

SHA256
84e88136aa07c026bc679afd54e848bc2776f8ed1552d43dae784e0b42d1494e

SHA512
32bb538bca481bbc02fe368860f29e579f690c4916b5a86ba922564b777ef9d03e3b688487ea11babc0d3af5d6391c9e242fb6375d57fc926df68f32458297ce

Download Submit
C:\Users\Admin\AppData\Local\e8sz\WINMM.dll

Filesize
1.4MB

MD5
78e539b423a54cac5ff2b0eaa320dcf4

SHA1
8b2533d722da0e278087921c6070b1e3a9e68994

SHA256
b4f9cef4c734981fb5e9b22df0d589d396ff718b9b921624aefb5da9d00480d1

SHA512
eb31f9d3835f07d07617fadb8fe07d4bcb0f401208031038dbb51fd44d206fc59d0bc69ed6208b43230dc826aee74579b14c8c8bf501da0da8e948d2f3080855

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk

Filesize
1KB

MD5
056889fdd85f07dca16b0f27d54f0a9e

SHA1
aa34522e70b61d2619bf03a05b6a7a9ccfc886fe

SHA256
0b2c883b73ae1e439cccc86facf49a5ffb50cf08d7739526f0a765a0f7a3f302

SHA512
323cc1048d664c3ef160d1310fe7248bba621ff3ebffdb94ed32440b6e6359cea6fa1905fc91503a7959c84351746c5c8a06ebc9f7c43b088c8090e1d83b7098

Download Submit
\Users\Admin\AppData\Local\63or\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
\Users\Admin\AppData\Local\ZvOR7Ui\rstrui.exe

Filesize
290KB

MD5
3db5a1eace7f3049ecc49fa64461e254

SHA1
7dc64e4f75741b93804cbae365e10dc70592c6a9

SHA256
ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

SHA512
ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

Download Submit
\Users\Admin\AppData\Local\e8sz\mblctr.exe

Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
memory/1124-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-36-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-19-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-17-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-4-0x0000000077246000-0x0000000077247000-memory.dmp

Filesize
4KB

Download
memory/1124-28-0x0000000002D20000-0x0000000002D27000-memory.dmp

Filesize
28KB

Download
memory/1124-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-35-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-31-0x0000000077451000-0x0000000077452000-memory.dmp

Filesize
4KB

Download
memory/1124-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/1124-32-0x00000000775E0000-0x00000000775E2000-memory.dmp

Filesize
8KB

Download
memory/1124-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-72-0x0000000077246000-0x0000000077247000-memory.dmp

Filesize
4KB

Download
memory/1124-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1124-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1564-88-0x000007FEF6450000-0x000007FEF65B9000-memory.dmp

Filesize
1.4MB

Download
memory/1564-93-0x000007FEF6450000-0x000007FEF65B9000-memory.dmp

Filesize
1.4MB

Download
memory/1636-69-0x000007FEF6450000-0x000007FEF65B8000-memory.dmp

Filesize
1.4MB

Download
memory/1636-73-0x0000000001CF0000-0x0000000001CF7000-memory.dmp

Filesize
28KB

Download
memory/1636-76-0x000007FEF6450000-0x000007FEF65B8000-memory.dmp

Filesize
1.4MB

Download
memory/2108-44-0x000007FEF6450000-0x000007FEF65B7000-memory.dmp

Filesize
1.4MB

Download
memory/2108-0-0x000007FEF6450000-0x000007FEF65B7000-memory.dmp

Filesize
1.4MB

Download
memory/2108-3-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2476-57-0x000007FEF7200000-0x000007FEF739B000-memory.dmp

Filesize
1.6MB

Download
memory/2476-52-0x000007FEF7200000-0x000007FEF739B000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads