dridex | 1583c51d887d2afe8d31227c64761ed559c6ea6e40fe1ab4f405eecd23186215

General

Target

67dfdc85c0e897820cc793be43f93d68_JaffaCakes118.dll
Size

989KB
MD5

67dfdc85c0e897820cc793be43f93d68
SHA1

4f6aac677ab2e91a13d570e2db2832c44b064212
SHA256

1583c51d887d2afe8d31227c64761ed559c6ea6e40fe1ab4f405eecd23186215
SHA512

712df35fa47efb0a6b10076c4e5e9e1b187732acad7335ba678c770d96c966e661da11512ad4fa9910ab6fe2d4d5a44169da2e8b311c60dc51a2c6191912b2f3
SSDEEP

24576:QVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:QV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exeicardagt.exerstrui.exe

pid process

2752 rdpclip.exe
2480 icardagt.exe
1476 rstrui.exe
Loads dropped DLL 7 IoCs

Processes:

rdpclip.exeicardagt.exerstrui.exe

pid process

1184
2752 rdpclip.exe
1184
2480 icardagt.exe
1184
1476 rstrui.exe
1184

pid	process
2752	rdpclip.exe
2480	icardagt.exe
1476	rstrui.exe

pid	process
1184
2752	rdpclip.exe
1184
2480	icardagt.exe
1184
1476	rstrui.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\4FSBDMJ5\\JsZlCwel\\icardagt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exeicardagt.exerstrui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2204	rundll32.exe
2204	rundll32.exe
2204	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 2884	1184	rdpclip.exe
PID 1184 wrote to memory of 2884	1184	rdpclip.exe
PID 1184 wrote to memory of 2884	1184	rdpclip.exe
PID 1184 wrote to memory of 2752	1184	rdpclip.exe
PID 1184 wrote to memory of 2752	1184	rdpclip.exe
PID 1184 wrote to memory of 2752	1184	rdpclip.exe
PID 1184 wrote to memory of 2464	1184	icardagt.exe
PID 1184 wrote to memory of 2464	1184	icardagt.exe
PID 1184 wrote to memory of 2464	1184	icardagt.exe
PID 1184 wrote to memory of 2480	1184	icardagt.exe
PID 1184 wrote to memory of 2480	1184	icardagt.exe
PID 1184 wrote to memory of 2480	1184	icardagt.exe
PID 1184 wrote to memory of 1712	1184	rstrui.exe
PID 1184 wrote to memory of 1712	1184	rstrui.exe
PID 1184 wrote to memory of 1712	1184	rstrui.exe
PID 1184 wrote to memory of 1476	1184	rstrui.exe
PID 1184 wrote to memory of 1476	1184	rstrui.exe
PID 1184 wrote to memory of 1476	1184	rstrui.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67dfdc85c0e897820cc793be43f93d68_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2884

C:\Users\Admin\AppData\Local\uESWv4ea\rdpclip.exe
C:\Users\Admin\AppData\Local\uESWv4ea\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2752

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Ta0u\icardagt.exe
C:\Users\Admin\AppData\Local\Ta0u\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2480

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\fncO5FX\rstrui.exe
C:\Users\Admin\AppData\Local\fncO5FX\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1476

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ta0u\UxTheme.dll
Filesize
992KB

MD5
eb6477b4feed4671c62ac916c8a65dbf

SHA1
223c590d5d8b1bd388850ff812c1d5be3a2ac10b

SHA256
58ff0074a4b842d459f65301a690cfd131df8b2c8c0c6c2f155c5eb03532e8f1

SHA512
5535b1637e05b18b5c0c7c8b22ea648447ecb636bcd0b5a5c04a7c1506db9dfec4b1fa1557d2611beee35d13e9468c37848361e3f2eeca23d8d4257067565917

Download Submit
C:\Users\Admin\AppData\Local\fncO5FX\SPP.dll
Filesize
990KB

MD5
28931a950492251a3940ab100f1e0270

SHA1
e57a582816890155d23716d3716ae31446e3409f

SHA256
730b76376149406c9121c119853d9d444889be2989b02be5365d1e3e0a34f27c

SHA512
8c664ae6a13268db870899ce98068ffa893521742fcd0d1735adbc4d4d5f8989d8e68b307e306f63ec4749fdb2410bf0360c708fa254a2c4d0114ea1fe3103b6

Download Submit
C:\Users\Admin\AppData\Local\uESWv4ea\WTSAPI32.dll
Filesize
991KB

MD5
36daa84a3b4757c01d003f5bb68df649

SHA1
a3a6f75083ea9f9aa3033da59a5f9f824907ae9f

SHA256
125e26565518cf83a58e7efeb192cf828769f5913eea4f4c92327dd9b83a841f

SHA512
0fa6c292ac68533bb81d84795c4e515ae6df19d351d750758b44196484ceaa786f2dc3caf3cf5d9505cd4bbabe8a33bef9e916e4a214349158e7c183858b559f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk
Filesize
1KB

MD5
d1140ee20860b23fe3e874f0056172b3

SHA1
74dea886fa6a584e42bf822c3b84123f8db5430b

SHA256
2ce5ac3a8c3447771a4dbcf15e79f330ce66945821b62911ed015dadb367cbc7

SHA512
1778e32dfd3ec308e91a762dd1143b9394e1a03f88fc02afbe1d11bb28537036098202782c5adc00746f4082d3d6c688fe7bd35e49b8adfe308fce65c381b532

Download Submit
\Users\Admin\AppData\Local\Ta0u\icardagt.exe
Filesize
1.3MB

MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\fncO5FX\rstrui.exe
Filesize
290KB

MD5
3db5a1eace7f3049ecc49fa64461e254

SHA1
7dc64e4f75741b93804cbae365e10dc70592c6a9

SHA256
ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

SHA512
ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

Download Submit
\Users\Admin\AppData\Local\uESWv4ea\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
memory/1184-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-26-0x0000000076FC0000-0x0000000076FC2000-memory.dmp

Filesize
8KB

Download
memory/1184-25-0x0000000076E31000-0x0000000076E32000-memory.dmp

Filesize
4KB

Download
memory/1184-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-24-0x0000000002D90000-0x0000000002D97000-memory.dmp

Filesize
28KB

Download
memory/1184-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-4-0x0000000076C26000-0x0000000076C27000-memory.dmp

Filesize
4KB

Download
memory/1184-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-73-0x0000000076C26000-0x0000000076C27000-memory.dmp

Filesize
4KB

Download
memory/1184-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1184-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1476-92-0x0000000000520000-0x0000000000527000-memory.dmp

Filesize
28KB

Download
memory/1476-95-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2204-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2204-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2204-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2480-74-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/2480-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2752-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2752-55-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2752-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads