dridex | 1e40b83aa9fd11b7a5f1ee17496c217882b5b0faab433efcd69cb2c6fb40f704

General

Target

909d13887bb69f31030b77aed5290a46_JaffaCakes118.dll
Size

986KB
MD5

909d13887bb69f31030b77aed5290a46
SHA1

7f31628f6675c319a6ddd6473cf87a2a2dc38f7f
SHA256

1e40b83aa9fd11b7a5f1ee17496c217882b5b0faab433efcd69cb2c6fb40f704
SHA512

cc549dec063c91a336136a5beac0e14d2077a43933a1aef3465e4f4543080120b6a8734bacff2a579a7bf80389c56539ded7cc364f3fe0dce82039d4764ca12e
SSDEEP

24576:0VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:0V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3520-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

omadmclient.exeusocoreworker.exerdpclip.exe

pid process

1896 omadmclient.exe
2464 usocoreworker.exe
1016 rdpclip.exe
Loads dropped DLL 3 IoCs

Processes:

omadmclient.exeusocoreworker.exerdpclip.exe

pid process

1896 omadmclient.exe
2464 usocoreworker.exe
1016 rdpclip.exe

pid	process
1896	omadmclient.exe
2464	usocoreworker.exe
1016	rdpclip.exe

pid	process
1896	omadmclient.exe
2464	usocoreworker.exe
1016	rdpclip.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\HPvO6Y\\USOCOR~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeomadmclient.exeusocoreworker.exerdpclip.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3520

pid	process
3520

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3520 wrote to memory of 4892	3520	omadmclient.exe
PID 3520 wrote to memory of 4892	3520	omadmclient.exe
PID 3520 wrote to memory of 1896	3520	omadmclient.exe
PID 3520 wrote to memory of 1896	3520	omadmclient.exe
PID 3520 wrote to memory of 1668	3520	usocoreworker.exe
PID 3520 wrote to memory of 1668	3520	usocoreworker.exe
PID 3520 wrote to memory of 2464	3520	usocoreworker.exe
PID 3520 wrote to memory of 2464	3520	usocoreworker.exe
PID 3520 wrote to memory of 220	3520	rdpclip.exe
PID 3520 wrote to memory of 220	3520	rdpclip.exe
PID 3520 wrote to memory of 1016	3520	rdpclip.exe
PID 3520 wrote to memory of 1016	3520	rdpclip.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\909d13887bb69f31030b77aed5290a46_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:4892

C:\Users\Admin\AppData\Local\xeUH\omadmclient.exe
C:\Users\Admin\AppData\Local\xeUH\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1896

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\60dcpInAM\usocoreworker.exe
C:\Users\Admin\AppData\Local\60dcpInAM\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2464

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:220

C:\Users\Admin\AppData\Local\JKCKUdqR8\rdpclip.exe
C:\Users\Admin\AppData\Local\JKCKUdqR8\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\60dcpInAM\XmlLite.dll

Filesize
986KB

MD5
4c13d346d4632cfb37b4d3a4bcd26a3a

SHA1
2a375ce86b8cae414496c06409eb3774761cb4ab

SHA256
2e4f455d63c81d8692dd222cda5d418f3c0973f92afdce607f21f2ddc71af877

SHA512
029109ffbe3331dd6470a8f6bd53cc1ddc9ad7eb91d845d321b96238292e0138e4db82d20b20336909475f4b4ae8c0204086732a7869aa43fb420889e6c44c6f

Download Submit
C:\Users\Admin\AppData\Local\60dcpInAM\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\JKCKUdqR8\dwmapi.dll

Filesize
988KB

MD5
ed64db1a8ee0a69e3cd548018a55bb88

SHA1
a6162b04ea6d2749e38c0afa8091e56e2920fc76

SHA256
e84f7699f4a8ddf84f188e25f15096978060f57871a955a92d45b39f271849c3

SHA512
8e2b019015b91875c98ce2eda5d9257722890aecf51c057d0748d31450da3ed93af2c4852c78699b00d2ae0e0e7189587ff3c80c76ca14b6ca677ece2eb51da2

Download Submit
C:\Users\Admin\AppData\Local\JKCKUdqR8\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Local\xeUH\XmlLite.dll

Filesize
986KB

MD5
c7343d0eddd571598bb11cb31086e3f0

SHA1
f8eff32840b6bb3d7d426173f27ade0a810451bc

SHA256
a766e865886ee7c9666f4664f925f6f638bfb045b035aac93f0d9374df237f06

SHA512
765cdc75230b760eb2724e95062ab8d3939564bd4e42390c4b469946c8552bafafb4f72b59f2290746e1295a086c8892cbd0823d8bd96910be900b4918079b4c

Download Submit
C:\Users\Admin\AppData\Local\xeUH\omadmclient.exe

Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnk

Filesize
1KB

MD5
04b069dc9349e361f680cbf316a625ea

SHA1
20ef97cdc3b2a94bd1c065b01f5b8b8752b090c4

SHA256
6e7584abe4a2abb81ed66c5192037a647cefd8af615792ca391a338302000de8

SHA512
b88a2856b1dfb7383a0c20f1a166f46924023d3c0eb1be21ff17ca633e8ac2c951661050a36b79a6b497c07a06fce5b44645d6352a9f5682fb07ee961b9fc864

Download Submit
memory/212-3-0x000001343BD20000-0x000001343BD27000-memory.dmp

Filesize
28KB

Download
memory/212-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/212-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1016-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1016-81-0x000001EE1BB00000-0x000001EE1BB07000-memory.dmp

Filesize
28KB

Download
memory/1896-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1896-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1896-47-0x0000020E15AC0000-0x0000020E15AC7000-memory.dmp

Filesize
28KB

Download
memory/2464-61-0x0000022A7ABB0000-0x0000022A7ABB7000-memory.dmp

Filesize
28KB

Download
memory/2464-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3520-24-0x0000000000CB0000-0x0000000000CB7000-memory.dmp

Filesize
28KB

Download
memory/3520-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-23-0x00007FFD163BA000-0x00007FFD163BB000-memory.dmp

Filesize
4KB

Download
memory/3520-25-0x00007FFD18210000-0x00007FFD18220000-memory.dmp

Filesize
64KB

Download
memory/3520-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3520-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads