dridex | f098328e0bc6d2b258c50a3edc49a757403d9e081245aacc8eac924606d66103

General

Target

96b832274e61991a1b255bdab51a546d_JaffaCakes118.dll
Size

1.2MB
MD5

96b832274e61991a1b255bdab51a546d
SHA1

a4ed93751ec4b20393f42b3c4f6ce45e71bd77c0
SHA256

f098328e0bc6d2b258c50a3edc49a757403d9e081245aacc8eac924606d66103
SHA512

5c7f7291112d0a35a132d353286e0ae04ab3d2335bf958cedc5f438a959f7fae79a68b22b0870936db9da72e42b15555e0262ccf257c207fd240fd7667f93282
SSDEEP

24576:MyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:MyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-5-0x00000000024B0000-0x00000000024B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

eudcedit.exeddodiag.exeEhStorAuthn.exe

pid process

2456 eudcedit.exe
1476 ddodiag.exe
820 EhStorAuthn.exe
Loads dropped DLL 7 IoCs

Processes:

eudcedit.exeddodiag.exeEhStorAuthn.exe

pid process

1216
2456 eudcedit.exe
1216
1476 ddodiag.exe
1216
820 EhStorAuthn.exe
1216

pid	process
2456	eudcedit.exe
1476	ddodiag.exe
820	EhStorAuthn.exe

pid	process
1216
2456	eudcedit.exe
1216
1476	ddodiag.exe
1216
820	EhStorAuthn.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\U8uabt\\ddodiag.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeeudcedit.exeddodiag.exeEhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 2436	1216	eudcedit.exe
PID 1216 wrote to memory of 2436	1216	eudcedit.exe
PID 1216 wrote to memory of 2436	1216	eudcedit.exe
PID 1216 wrote to memory of 2456	1216	eudcedit.exe
PID 1216 wrote to memory of 2456	1216	eudcedit.exe
PID 1216 wrote to memory of 2456	1216	eudcedit.exe
PID 1216 wrote to memory of 2272	1216	ddodiag.exe
PID 1216 wrote to memory of 2272	1216	ddodiag.exe
PID 1216 wrote to memory of 2272	1216	ddodiag.exe
PID 1216 wrote to memory of 1476	1216	ddodiag.exe
PID 1216 wrote to memory of 1476	1216	ddodiag.exe
PID 1216 wrote to memory of 1476	1216	ddodiag.exe
PID 1216 wrote to memory of 1900	1216	EhStorAuthn.exe
PID 1216 wrote to memory of 1900	1216	EhStorAuthn.exe
PID 1216 wrote to memory of 1900	1216	EhStorAuthn.exe
PID 1216 wrote to memory of 820	1216	EhStorAuthn.exe
PID 1216 wrote to memory of 820	1216	EhStorAuthn.exe
PID 1216 wrote to memory of 820	1216	EhStorAuthn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96b832274e61991a1b255bdab51a546d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:2436

C:\Users\Admin\AppData\Local\GOoMI\eudcedit.exe
C:\Users\Admin\AppData\Local\GOoMI\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2456

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:2272

C:\Users\Admin\AppData\Local\F327jj1Rz\ddodiag.exe
C:\Users\Admin\AppData\Local\F327jj1Rz\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1476

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1900

C:\Users\Admin\AppData\Local\GQSdqhkwE\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\GQSdqhkwE\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:820

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\F327jj1Rz\XmlLite.dll
Filesize
1.2MB

MD5
76e378ead9d6ed9f663329645f795e28

SHA1
387519142d47f5d96b00dc227a46eab843e7f885

SHA256
7036377c0731ffacb97758ff0a8f74c0501704e01b3621adcf776d4181575d26

SHA512
c0a4f24a513929bc301dd894a57be8940dea2b4913fab900ee6d47393d3fa0a3e27afec83f25f871a8a01c12c88e3cebe3b04ef2572a7283364c577526f35b2b

Download Submit
C:\Users\Admin\AppData\Local\GOoMI\MFC42u.dll
Filesize
1.2MB

MD5
1747e4a8c929eccf70b773398ddc2f20

SHA1
19e4a932080879cd0bce2d2bd419079505f5ff9f

SHA256
5dec369563eedf7c3d7a70f46f27c645cf30910473f22658c1a579b18c430af7

SHA512
19017cb5153e5db02f792be5205f7525eceb894f4c825f4f1d87617676af14a4ac6bd72c7c4397347c9af18859994fd236528b773ad8733af828072243ed4570

Download Submit
C:\Users\Admin\AppData\Local\GOoMI\eudcedit.exe
Filesize
351KB

MD5
35e397d6ca8407b86d8a7972f0c90711

SHA1
6b39830003906ef82442522d22b80460c03f6082

SHA256
1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

SHA512
71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

Download Submit
C:\Users\Admin\AppData\Local\GQSdqhkwE\UxTheme.dll
Filesize
1.2MB

MD5
d48d5ba4c0fdebc2fe8a728a4e8504f9

SHA1
8c7dda4c6bf222d3cb58cd2bc1f87f448d6578e9

SHA256
59f1d26d295233c9aab5715cb291ef7df03a752c2011ef19cda63a7fff736a2c

SHA512
be6dc5b78981b64c58d24e408005dbe7980b3ed653254d55b91338075ca70c1fa0846e12b050da3c6ffbebd2854b575d95c15a9b63cb2d1d8e98fd7ee4c4cbd9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
68a3fa5e8641fa6327f5cd90ff525bf8

SHA1
68377eb53e03e9575a470ba847e432edf81db9a7

SHA256
6d66ac718ccd60fd7e29c210d61a6213cecaaccebd5496777fe6dc8333f67298

SHA512
eb42fe58bf62f30f293c64e2d4c34e083f9b2c45b1cb64c78650736c6c45231971fda77a383227d103dd06abb69162bdc9c8194c5b30b41f9e02efdf61b28fc2

Download Submit
\Users\Admin\AppData\Local\F327jj1Rz\ddodiag.exe
Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\GQSdqhkwE\EhStorAuthn.exe
Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
memory/820-96-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1216-26-0x0000000002490000-0x0000000002497000-memory.dmp

Filesize
28KB

Download
memory/1216-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-27-0x0000000077441000-0x0000000077442000-memory.dmp

Filesize
4KB

Download
memory/1216-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-28-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1216-38-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-37-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-4-0x0000000077236000-0x0000000077237000-memory.dmp

Filesize
4KB

Download
memory/1216-5-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1216-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1216-65-0x0000000077236000-0x0000000077237000-memory.dmp

Filesize
4KB

Download
memory/1476-73-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1476-79-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1476-78-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2456-60-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2456-54-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2456-57-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3028-0-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3028-46-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3028-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads