dridex | 23af8a04d56b123342384a11c863a934154029823ee3e5e744a9fbedbb4dac12

General

Target

890585cd2e7a7240f8717a699df466c6_JaffaCakes118.dll
Size

1.2MB
MD5

890585cd2e7a7240f8717a699df466c6
SHA1

905cc34008102e2497e9dbb3e11a1cd0a5b591ba
SHA256

23af8a04d56b123342384a11c863a934154029823ee3e5e744a9fbedbb4dac12
SHA512

3135756a9194a05256d9caf0ecf06ea3abe15c080e7c2b09b4419d8a95c4856a500cb5ab2e0afb0a1f2ade9c51877c56064b29148542dbc7da51e203dc1562d2
SSDEEP

24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3532-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Taskmgr.exesdclt.exerdpinit.exe

pid process

4232 Taskmgr.exe
1772 sdclt.exe
524 rdpinit.exe
Loads dropped DLL 4 IoCs

Processes:

Taskmgr.exesdclt.exerdpinit.exe

pid process

4232 Taskmgr.exe
4232 Taskmgr.exe
1772 sdclt.exe
524 rdpinit.exe

pid	process
4232	Taskmgr.exe
1772	sdclt.exe
524	rdpinit.exe

pid	process
4232	Taskmgr.exe
4232	Taskmgr.exe
1772	sdclt.exe
524	rdpinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\npNJyS\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sdclt.exerdpinit.exerundll32.exeTaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1440	rundll32.exe
1440	rundll32.exe
1440	rundll32.exe
1440	rundll32.exe
1440	rundll32.exe
1440	rundll32.exe
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3532

pid	process
3532

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3532 wrote to memory of 2680	3532	Taskmgr.exe
PID 3532 wrote to memory of 2680	3532	Taskmgr.exe
PID 3532 wrote to memory of 4232	3532	Taskmgr.exe
PID 3532 wrote to memory of 4232	3532	Taskmgr.exe
PID 3532 wrote to memory of 3348	3532	sdclt.exe
PID 3532 wrote to memory of 3348	3532	sdclt.exe
PID 3532 wrote to memory of 1772	3532	sdclt.exe
PID 3532 wrote to memory of 1772	3532	sdclt.exe
PID 3532 wrote to memory of 396	3532	rdpinit.exe
PID 3532 wrote to memory of 396	3532	rdpinit.exe
PID 3532 wrote to memory of 524	3532	rdpinit.exe
PID 3532 wrote to memory of 524	3532	rdpinit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\890585cd2e7a7240f8717a699df466c6_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:2680

C:\Users\Admin\AppData\Local\PJmPH\Taskmgr.exe
C:\Users\Admin\AppData\Local\PJmPH\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4232

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Fe9\sdclt.exe
C:\Users\Admin\AppData\Local\Fe9\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1772

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:396

C:\Users\Admin\AppData\Local\Wygbs\rdpinit.exe
C:\Users\Admin\AppData\Local\Wygbs\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Fe9\ReAgent.dll
Filesize
1.2MB

MD5
070d6d95c7c3968716023f2c845ae1b6

SHA1
7e55466e518cb25a456673b97fa44d4a1e8c280a

SHA256
9e05632f0aaf3fc5263ce7f59c9fe8aa5b985dfd0453d7dade2f8cd3dda03a90

SHA512
a45e6d8d0ca248202df17afc9ec31ad4b294bcee12cab6988e9ce49df30e962e6ba19a4f9c8c96c583d9d6b02d42c41a041d85d9bc96b9610355646ef93b9f8b

Download Submit
C:\Users\Admin\AppData\Local\Fe9\sdclt.exe
Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\PJmPH\Taskmgr.exe
Filesize
1.2MB

MD5
58d5bc7895f7f32ee308e34f06f25dd5

SHA1
7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

SHA256
4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

SHA512
872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

Download Submit
C:\Users\Admin\AppData\Local\PJmPH\dxgi.dll
Filesize
1.2MB

MD5
c334f5fb684539d70705c6afc329c49c

SHA1
1beab1fa20d687c5289f63cf2a970f8aab165537

SHA256
e8db3c81c65490e9a7d224cc52b28615758e9fe58d38e0145682010119b2f251

SHA512
2b656fe05e836d00dec96f646ba8a03708614151f9103b04e6d0567819aad2efb15895c18c4e7f66056a03cd40e7941f6a1f5e428b61d7b55a4f65304e8fe14a

Download Submit
C:\Users\Admin\AppData\Local\Wygbs\WTSAPI32.dll
Filesize
1.2MB

MD5
9894e78d57e07bb035cfb280b23ba090

SHA1
d17d98dea3b609f82ecc00de5d4e3983f48ba630

SHA256
cfba627bf1b4d7635311a139d5f30e377112e3cbac840750fe34210faa96deb8

SHA512
9b03915e0d031b1b0237ba268226ecc95954310ad3fc9b2096666fb432c14ef81fdc67bd669e73a834870c30e602f1b146f3aace5cedbf2e0de711a401b5a53a

Download Submit
C:\Users\Admin\AppData\Local\Wygbs\rdpinit.exe
Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
2b33241bcee3f1cf0bce05e3d1126505

SHA1
4e2b5ded1ce1a871d20d5df02207893d40aca644

SHA256
b60406b63a7f14ab12c228d334ecaf7f26403ced4a0df21af0488705dee503e8

SHA512
7736140643d1c875e67cf492223bd0eedb20c505674a0ca712cf6e811e707b1ec402b97eb60467e436bf49abdcabb217fab123da6f0d194a7393ea6db4d56936

Download Submit
memory/524-87-0x00007FFDB66D0000-0x00007FFDB6811000-memory.dmp

Filesize
1.3MB

Download
memory/1440-0-0x00007FFDC64D0000-0x00007FFDC6610000-memory.dmp

Filesize
1.2MB

Download
memory/1440-3-0x0000021E667E0000-0x0000021E667E7000-memory.dmp

Filesize
28KB

Download
memory/1440-40-0x00007FFDC64D0000-0x00007FFDC6610000-memory.dmp

Filesize
1.2MB

Download
memory/1772-68-0x000002691D7F0000-0x000002691D7F7000-memory.dmp

Filesize
28KB

Download
memory/1772-65-0x00007FFDB66D0000-0x00007FFDB6811000-memory.dmp

Filesize
1.3MB

Download
memory/1772-71-0x00007FFDB66D0000-0x00007FFDB6811000-memory.dmp

Filesize
1.3MB

Download
memory/3532-9-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-12-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-8-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-7-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-37-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-13-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-14-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-15-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-6-0x00007FFDD3BAA000-0x00007FFDD3BAB000-memory.dmp

Filesize
4KB

Download
memory/3532-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/3532-11-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-17-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-18-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-30-0x0000000001030000-0x0000000001037000-memory.dmp

Filesize
28KB

Download
memory/3532-31-0x00007FFDD5210000-0x00007FFDD5220000-memory.dmp

Filesize
64KB

Download
memory/3532-10-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3532-16-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4232-48-0x00007FFDB6480000-0x00007FFDB65C1000-memory.dmp

Filesize
1.3MB

Download
memory/4232-54-0x00007FFDB6480000-0x00007FFDB65C1000-memory.dmp

Filesize
1.3MB

Download
memory/4232-51-0x000001EB11D40000-0x000001EB11D47000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads