dridex | 682acb2e8fbae0a220ee3c38f5895a1e565242f9b79eb576f6d6ce530934bc34

General

Target

777ef6894e820bba6cd3f4d2f81282cb_JaffaCakes118.dll
Size

1.2MB
MD5

777ef6894e820bba6cd3f4d2f81282cb
SHA1

cd4893c41615b03101c95170687731f5f8ef87e1
SHA256

682acb2e8fbae0a220ee3c38f5895a1e565242f9b79eb576f6d6ce530934bc34
SHA512

ad0078555615ff2a55da4357167771ba3ace8905f865023e6634e28408e6636ef00c91a87cb37ca331f4ad6a1cf396b0530f3f6852fe8f9afafa2c5919ade9ff
SSDEEP

24576:JVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:JV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1180-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Dxpserver.exeComputerDefaults.exerdpinit.exe

pid process

2476 Dxpserver.exe
1352 ComputerDefaults.exe
2772 rdpinit.exe
Loads dropped DLL 7 IoCs

Processes:

Dxpserver.exeComputerDefaults.exerdpinit.exe

pid process

1180
2476 Dxpserver.exe
1180
1352 ComputerDefaults.exe
1180
2772 rdpinit.exe
1180

pid	process
2476	Dxpserver.exe
1352	ComputerDefaults.exe
2772	rdpinit.exe

pid	process
1180
2476	Dxpserver.exe
1180
1352	ComputerDefaults.exe
1180
2772	rdpinit.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\T4J2HT~1\\COMPUT~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Dxpserver.exeComputerDefaults.exerdpinit.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1180 wrote to memory of 2520	1180	Dxpserver.exe
PID 1180 wrote to memory of 2520	1180	Dxpserver.exe
PID 1180 wrote to memory of 2520	1180	Dxpserver.exe
PID 1180 wrote to memory of 2476	1180	Dxpserver.exe
PID 1180 wrote to memory of 2476	1180	Dxpserver.exe
PID 1180 wrote to memory of 2476	1180	Dxpserver.exe
PID 1180 wrote to memory of 616	1180	ComputerDefaults.exe
PID 1180 wrote to memory of 616	1180	ComputerDefaults.exe
PID 1180 wrote to memory of 616	1180	ComputerDefaults.exe
PID 1180 wrote to memory of 1352	1180	ComputerDefaults.exe
PID 1180 wrote to memory of 1352	1180	ComputerDefaults.exe
PID 1180 wrote to memory of 1352	1180	ComputerDefaults.exe
PID 1180 wrote to memory of 2128	1180	rdpinit.exe
PID 1180 wrote to memory of 2128	1180	rdpinit.exe
PID 1180 wrote to memory of 2128	1180	rdpinit.exe
PID 1180 wrote to memory of 2772	1180	rdpinit.exe
PID 1180 wrote to memory of 2772	1180	rdpinit.exe
PID 1180 wrote to memory of 2772	1180	rdpinit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\777ef6894e820bba6cd3f4d2f81282cb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2520

C:\Users\Admin\AppData\Local\HqS\Dxpserver.exe
C:\Users\Admin\AppData\Local\HqS\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2476

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\gK9YR\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\gK9YR\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1352

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2128

C:\Users\Admin\AppData\Local\7t32sGhC\rdpinit.exe
C:\Users\Admin\AppData\Local\7t32sGhC\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2772

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7t32sGhC\WTSAPI32.dll
Filesize
1.2MB

MD5
a99b1c7218c122f2c2c7680311543ed0

SHA1
5e586a1aed7acfe1dd65c899b8fc8389d602b48d

SHA256
acdd419705396f4184e27e2fa1059d6c9c8dc6d15b83904f0389eb23531cbf8c

SHA512
91b82772c2ad5f1c0b5dfb82cdc7d461aba7e98d88e962db3d94420be1064eea765e35e214d45ec3ad3abe225b0997e9f7b40e6efd0cf95ee4971d9bbb63c00f

Download Submit
C:\Users\Admin\AppData\Local\HqS\XmlLite.dll
Filesize
1.2MB

MD5
f3f6413c525f32e5b49f396570293e04

SHA1
dafd1ea523193617e51720cde25884e7421640f7

SHA256
31c638594cea5ba0430a19e933c6a05af8bbb866759dede602b9bf02afc8c14b

SHA512
515ae44dc930b368b656b39fb931e7fac38ec2f55a3bd2c3a58b135a3949a62927aba1b67efd679c29480f12d0b8d979981fab7e377174a70c803f710172f885

Download Submit
C:\Users\Admin\AppData\Local\gK9YR\appwiz.cpl
Filesize
1.2MB

MD5
cdef95d9120e61256b41a1687ec6daf0

SHA1
3ca4d0f0938e005f44bddd7103bf022918360e77

SHA256
df3e72c0f272d0642b9cd3b76aac8eab0fd5d6a121ebe9068ebcc472823d5176

SHA512
2196366e5957603a62b568edf97b995243a7e918d39f906550aa27df025b12712538fec908f2054088d4e81af2621f4062b127274752f2f403916a26e663144f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk
Filesize
1KB

MD5
4b12a55605af2dcd9b5d2c2bbc1bd72c

SHA1
46c740ea9adbd3bd6f83b8a58b92b5cfafa69a94

SHA256
497af00575b69856f5cfcb336ce7f0c57df149cc145c9b2a6b0fa8939df2d73c

SHA512
96b1805c29a016826b83be1e44b128bb1be8dc56edc7f9ebc4cb897dc43cb1c3e5ac861d609c25dae32a629bed44df26e465588685abb09c440bc829f855635e

Download Submit
\Users\Admin\AppData\Local\7t32sGhC\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\HqS\Dxpserver.exe
Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\gK9YR\ComputerDefaults.exe
Filesize
36KB

MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
memory/1180-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-4-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

Filesize
4KB

Download
memory/1180-26-0x0000000002D80000-0x0000000002D87000-memory.dmp

Filesize
28KB

Download
memory/1180-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-38-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1180-27-0x0000000077CC1000-0x0000000077CC2000-memory.dmp

Filesize
4KB

Download
memory/1180-30-0x0000000077E50000-0x0000000077E52000-memory.dmp

Filesize
8KB

Download
memory/1180-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1180-65-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

Filesize
4KB

Download
memory/1352-76-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1352-79-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1964-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1964-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1964-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2476-60-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2476-55-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2476-54-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/2772-94-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2772-97-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads