dridex | f85f26d71c527e7078122cfaee013e2881573630fdcfc8dcde64a24698824105

General

Target

7ecdae8ff4ce7a29e1cc131d4ff098b0_JaffaCakes118.dll
Size

1.2MB
MD5

7ecdae8ff4ce7a29e1cc131d4ff098b0
SHA1

883913c06a7e5867ecadaa6c5943c2875066e9e1
SHA256

f85f26d71c527e7078122cfaee013e2881573630fdcfc8dcde64a24698824105
SHA512

7930e981d2eda7b6f9c2a76d1861ec65cbcf897b086f456296a9ea1d3979da2b432cace42dd9b3b24a23669df598566bb4e189c3c4956205658d6ceaf23278ee
SSDEEP

24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:iV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3540-4-0x0000000007160000-0x0000000007161000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

raserver.exeDevicePairingWizard.exeeudcedit.exe

pid process

3720 raserver.exe
1964 DevicePairingWizard.exe
1872 eudcedit.exe
Loads dropped DLL 3 IoCs

Processes:

raserver.exeDevicePairingWizard.exeeudcedit.exe

pid process

3720 raserver.exe
1964 DevicePairingWizard.exe
1872 eudcedit.exe

pid	process
3720	raserver.exe
1964	DevicePairingWizard.exe
1872	eudcedit.exe

pid	process
3720	raserver.exe
1964	DevicePairingWizard.exe
1872	eudcedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\Z0ZQ\\DevicePairingWizard.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeraserver.exeDevicePairingWizard.exeeudcedit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4876	rundll32.exe
4876	rundll32.exe
4876	rundll32.exe
4876	rundll32.exe
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3540
3540
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3540

pid	process
3540
3540

pid	process
3540

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3540 wrote to memory of 3356	3540	raserver.exe
PID 3540 wrote to memory of 3356	3540	raserver.exe
PID 3540 wrote to memory of 3720	3540	raserver.exe
PID 3540 wrote to memory of 3720	3540	raserver.exe
PID 3540 wrote to memory of 4264	3540	DevicePairingWizard.exe
PID 3540 wrote to memory of 4264	3540	DevicePairingWizard.exe
PID 3540 wrote to memory of 1964	3540	DevicePairingWizard.exe
PID 3540 wrote to memory of 1964	3540	DevicePairingWizard.exe
PID 3540 wrote to memory of 384	3540	eudcedit.exe
PID 3540 wrote to memory of 384	3540	eudcedit.exe
PID 3540 wrote to memory of 1872	3540	eudcedit.exe
PID 3540 wrote to memory of 1872	3540	eudcedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ecdae8ff4ce7a29e1cc131d4ff098b0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:3356

C:\Users\Admin\AppData\Local\7G42t\raserver.exe
C:\Users\Admin\AppData\Local\7G42t\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3720

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:4264

C:\Users\Admin\AppData\Local\1YWfOA7TK\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\1YWfOA7TK\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1964

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:384

C:\Users\Admin\AppData\Local\nArMXYZj\eudcedit.exe
C:\Users\Admin\AppData\Local\nArMXYZj\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1YWfOA7TK\DevicePairingWizard.exe

Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\1YWfOA7TK\MFC42u.dll

Filesize
1.3MB

MD5
21f0619fdfd83a1defb6c0d83b59a4de

SHA1
630591493a6150f89f7db784ec5473dd6049bc1a

SHA256
02abda118a58adb2af04e940c09a7aaeb10d9da56bf8a991758b2936d27361a1

SHA512
c2f41d10a3d39db6e71112f1e322dc28b5824ef66fbfe90caadd92f8a2eebd0df2ebc4e04ee62b12fec261802cb8d9d193d1f51697dd049edf98874b26af7a0b

Download Submit
C:\Users\Admin\AppData\Local\7G42t\WTSAPI32.dll

Filesize
1.2MB

MD5
da40014b35028fd9ddb50d237e14e821

SHA1
7db1483d37a9a5f21ac82847066cd37ca67dbd2b

SHA256
c00678a376f35cb4f108a434c1d796d8805f5cb89488d60ac0ce6ea80b3aa071

SHA512
a367c69a4e0a9228ce21aa5c56f3ca9c4f4199a661e9af07d9b37cbc5ecdf8331a99f47c0f5bd021c026a70cab7473ffc2744133cb431b6bb3c33b33436693bf

Download Submit
C:\Users\Admin\AppData\Local\7G42t\raserver.exe

Filesize
132KB

MD5
d1841c6ee4ea45794ced131d4b68b60e

SHA1
4be6d2116060d7c723ac2d0b5504efe23198ea01

SHA256
38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

SHA512
d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

Download Submit
C:\Users\Admin\AppData\Local\nArMXYZj\MFC42u.dll

Filesize
1.3MB

MD5
1b25d3fe0b5f6e351e029ef8cb53c8ad

SHA1
40f19de2ede1b14f8f7d2a6f4385e062268f6df4

SHA256
01ab0f6b6e9df0b44eed93bbd7d8760c47251bf14117ea9d59057d068bb984f5

SHA512
16f191ce1c9b5e3f0e7554c19c7ccc750bdaf30997009cf624eb6da77f99addb895dd20532c1d23cfff630b21ae900c2b0b6fb9372b02c6474e44026c6615570

Download Submit
C:\Users\Admin\AppData\Local\nArMXYZj\eudcedit.exe

Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk

Filesize
1KB

MD5
6923dae806af9ee9933ee367189f6093

SHA1
2629f422426a60cbee0abfec5901b9097e265ef2

SHA256
af53587da77d9481a3be0e15c8caf0f35f86963af9f4eae4af66195470327ce5

SHA512
ba3835986fe6402635b0c897ab59bb13f564aa0aece85d5cf259933057c77fee4fa78763304c71d47024149544314faf436f95ee890389adc0c68ff4123bd17f

Download Submit
memory/1872-85-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1872-82-0x0000025BF9560000-0x0000025BF9567000-memory.dmp

Filesize
28KB

Download
memory/1964-68-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1964-63-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1964-62-0x000001F7D5610000-0x000001F7D5617000-memory.dmp

Filesize
28KB

Download
memory/3540-35-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-29-0x0000000007130000-0x0000000007137000-memory.dmp

Filesize
28KB

Download
memory/3540-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-6-0x00007FFC27C0A000-0x00007FFC27C0B000-memory.dmp

Filesize
4KB

Download
memory/3540-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-4-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/3540-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-30-0x00007FFC28E50000-0x00007FFC28E60000-memory.dmp

Filesize
64KB

Download
memory/3540-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3720-51-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3720-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3720-48-0x00000207CD010000-0x00000207CD017000-memory.dmp

Filesize
28KB

Download
memory/4876-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4876-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4876-3-0x0000028CA45D0000-0x0000028CA45D7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads