dridex | 331b081d4f8a8c846b6f54ed1309c8b13802449ae5a412bacdd1beb40d032835

General

Target

88bf0cec0a0950513347f76e77b77f06_JaffaCakes118.dll
Size

1.2MB
MD5

88bf0cec0a0950513347f76e77b77f06
SHA1

5109dea79b1e2bb2086e1fda0cfb197ac78e90b5
SHA256

331b081d4f8a8c846b6f54ed1309c8b13802449ae5a412bacdd1beb40d032835
SHA512

0f4bd97642aa68d69154d8e5f42c00e2c0bb4c96877397dca25b6c7c473771e51e558df007812bc8e994614e3ce238309e5b9141cfa3def4d554acf9ef0659ce
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-5-0x00000000029A0000-0x00000000029A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

RDVGHelper.exeslui.exetabcal.exe

pid process

572 RDVGHelper.exe
1540 slui.exe
2472 tabcal.exe
Loads dropped DLL 7 IoCs

Processes:

RDVGHelper.exeslui.exetabcal.exe

pid process

1212
572 RDVGHelper.exe
1212
1540 slui.exe
1212
2472 tabcal.exe
1212

pid	process
572	RDVGHelper.exe
1540	slui.exe
2472	tabcal.exe

pid	process
1212
572	RDVGHelper.exe
1212
1540	slui.exe
1212
2472	tabcal.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\5n74hdJ\\slui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

tabcal.exerundll32.exeRDVGHelper.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1212
Token: SeShutdownPrivilege 1212

description	pid	process
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 1984	1212	RDVGHelper.exe
PID 1212 wrote to memory of 1984	1212	RDVGHelper.exe
PID 1212 wrote to memory of 1984	1212	RDVGHelper.exe
PID 1212 wrote to memory of 572	1212	RDVGHelper.exe
PID 1212 wrote to memory of 572	1212	RDVGHelper.exe
PID 1212 wrote to memory of 572	1212	RDVGHelper.exe
PID 1212 wrote to memory of 2408	1212	slui.exe
PID 1212 wrote to memory of 2408	1212	slui.exe
PID 1212 wrote to memory of 2408	1212	slui.exe
PID 1212 wrote to memory of 1540	1212	slui.exe
PID 1212 wrote to memory of 1540	1212	slui.exe
PID 1212 wrote to memory of 1540	1212	slui.exe
PID 1212 wrote to memory of 2480	1212	tabcal.exe
PID 1212 wrote to memory of 2480	1212	tabcal.exe
PID 1212 wrote to memory of 2480	1212	tabcal.exe
PID 1212 wrote to memory of 2472	1212	tabcal.exe
PID 1212 wrote to memory of 2472	1212	tabcal.exe
PID 1212 wrote to memory of 2472	1212	tabcal.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88bf0cec0a0950513347f76e77b77f06_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:1984

C:\Users\Admin\AppData\Local\ZDijXXZ\RDVGHelper.exe
C:\Users\Admin\AppData\Local\ZDijXXZ\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:572

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2408

C:\Users\Admin\AppData\Local\K4hE\slui.exe
C:\Users\Admin\AppData\Local\K4hE\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1540

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2480

C:\Users\Admin\AppData\Local\jCS4qq0a\tabcal.exe
C:\Users\Admin\AppData\Local\jCS4qq0a\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2472

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\K4hE\slc.dll
Filesize
1.2MB

MD5
22fd107cfad7c9c0078a4ece322b70f3

SHA1
14662bd85d0e9f78aeee83933c0e2337a8b78266

SHA256
2a2b6f0e887ae97b8991158804d0a76508fa7c5675276b7a9b292f584f93010d

SHA512
01fe99a338f37aa3895397ce9bf95dd8eb90ce5c4cd299c272648366b93584fcb2ad76e79c9ac9ee1b3a763e282d64be023586d303e4b460817bf0c44508a32a

Download Submit
C:\Users\Admin\AppData\Local\K4hE\slui.exe
Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
C:\Users\Admin\AppData\Local\ZDijXXZ\dwmapi.dll
Filesize
1.2MB

MD5
8d2fdb95aa09ca41cc5a0310d6e06a3d

SHA1
164127cfbdab4498690d15ab59ae87994ddc5bb5

SHA256
b9cd027075c4afa610b49d1c5526d5cd054779348a0bcad744ca0016559dd7c0

SHA512
381624a05ed0a3bcf2fea92b15be54081d437efcdeae42be2cc28f80260cb346633bf3dc28f7c1c05ff9704a1a9fa621c74dc3ddd38223ffafcfead20e18441a

Download Submit
C:\Users\Admin\AppData\Local\jCS4qq0a\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
77bae22bf69bd3abc4b59e9bd9df35fc

SHA1
303f4963656a3111c75d66e050b5c88035a01b12

SHA256
d164b630bbf15762a6bd007c9c9bdc8d8289fec8afc8d2cce5a203ee597b95e5

SHA512
88401df31e0a8c1efb650620f65d4f944ac3831e3e8b863f3a301157fb9c3dfc98d0cb176bd008bd9133a0cca37d9471a9e02e9c1dffe71e6acfeec37836e99a

Download Submit
\Users\Admin\AppData\Local\ZDijXXZ\RDVGHelper.exe
Filesize
93KB

MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
\Users\Admin\AppData\Local\jCS4qq0a\HID.DLL
Filesize
1.2MB

MD5
1be3d0bd3c4e1ea1ed8b46cbd1db19ce

SHA1
972b13443e4b90062fea3be1134773df7ad8d51a

SHA256
484fa9482382c948bb99df4cfca3933525682b5c421d87c20f3ce1ed6f2ea3ed

SHA512
fbddd3744a8041830415efdd00062ac8f8102ef177a04d7057088c9d796fb13ac2279d226bf6adb6e23dc50d6b2f39bef7751d6f5af5807c6837c893697e3e8e

Download Submit
memory/572-61-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/572-56-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/572-55-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1212-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-54-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

Filesize
4KB

Download
memory/1212-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-27-0x0000000077CF1000-0x0000000077CF2000-memory.dmp

Filesize
4KB

Download
memory/1212-28-0x0000000077E80000-0x0000000077E82000-memory.dmp

Filesize
8KB

Download
memory/1212-38-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-37-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-4-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

Filesize
4KB

Download
memory/1212-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1212-25-0x0000000001C60000-0x0000000001C67000-memory.dmp

Filesize
28KB

Download
memory/1212-26-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1212-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1540-73-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1540-79-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2336-0-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2336-44-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2336-3-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2472-96-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads