dridex | 6fb6d58a0d0e3b321319b4fed22048e320e7cdab695bd673c1162bb14e94a960

General

Target

a20a9ea0f069c29005b8e3b222b43f4a_JaffaCakes118.dll
Size

986KB
MD5

a20a9ea0f069c29005b8e3b222b43f4a
SHA1

94b161727a86e53b73b5886af2653912f4a65907
SHA256

6fb6d58a0d0e3b321319b4fed22048e320e7cdab695bd673c1162bb14e94a960
SHA512

7b9ab0b25f6dde226a950bf4e0ac38d18b7686283bf40dd0c175e29e91571f76cf937612988ff12ab28e75badd69f133bf3f8a1456d2a63c34c267f0b074b9d9
SSDEEP

24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3448-4-0x0000000002D40000-0x0000000002D41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpshell.exesdclt.exeunregmp2.exe

pid process

4552 rdpshell.exe
2720 sdclt.exe
2112 unregmp2.exe
Loads dropped DLL 3 IoCs

Processes:

rdpshell.exesdclt.exeunregmp2.exe

pid process

4552 rdpshell.exe
2720 sdclt.exe
2112 unregmp2.exe

pid	process
4552	rdpshell.exe
2720	sdclt.exe
2112	unregmp2.exe

pid	process
4552	rdpshell.exe
2720	sdclt.exe
2112	unregmp2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SKPNIT~1\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rdpshell.exesdclt.exeunregmp2.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3448
3448
3448
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3448
3448
3448

pid	process
3448
3448
3448

pid	process
3448
3448
3448

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3448 wrote to memory of 3920	3448	rdpshell.exe
PID 3448 wrote to memory of 3920	3448	rdpshell.exe
PID 3448 wrote to memory of 4552	3448	rdpshell.exe
PID 3448 wrote to memory of 4552	3448	rdpshell.exe
PID 3448 wrote to memory of 4380	3448	sdclt.exe
PID 3448 wrote to memory of 4380	3448	sdclt.exe
PID 3448 wrote to memory of 2720	3448	sdclt.exe
PID 3448 wrote to memory of 2720	3448	sdclt.exe
PID 3448 wrote to memory of 4316	3448	unregmp2.exe
PID 3448 wrote to memory of 4316	3448	unregmp2.exe
PID 3448 wrote to memory of 2112	3448	unregmp2.exe
PID 3448 wrote to memory of 2112	3448	unregmp2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a20a9ea0f069c29005b8e3b222b43f4a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:3920

C:\Users\Admin\AppData\Local\ruP\rdpshell.exe
C:\Users\Admin\AppData\Local\ruP\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4552

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:4380

C:\Users\Admin\AppData\Local\pvtOR\sdclt.exe
C:\Users\Admin\AppData\Local\pvtOR\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2720

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:4316

C:\Users\Admin\AppData\Local\DMOmb\unregmp2.exe
C:\Users\Admin\AppData\Local\DMOmb\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DMOmb\VERSION.dll
Filesize
987KB

MD5
472998285f98f076875ad69b21704e96

SHA1
9ded64516195e225f8ab46490ac799a1ec8a21c1

SHA256
cdf26a27855de2b273bd7bfafd55fc651d73246294c1bd5d31eba50d7e2168b4

SHA512
8150a5f338c958e6cf0fd1b1bb1f8c5fa9dde9cdaf6f63fec35aee4f0b9ee132831542175adf9b4277a2cbf0f9a4803653024dca7087615447171b7316764255

Download Submit
C:\Users\Admin\AppData\Local\DMOmb\unregmp2.exe
Filesize
259KB

MD5
a6fc8ce566dec7c5873cb9d02d7b874e

SHA1
a30040967f75df85a1e3927bdce159b102011a61

SHA256
21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

SHA512
f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

Download Submit
C:\Users\Admin\AppData\Local\pvtOR\UxTheme.dll
Filesize
989KB

MD5
a9e687e7ee44a8d63bc0f9d8a4abab47

SHA1
930e7fa7ae448b2628595a4f73971e7e8a44cb34

SHA256
1098c86fde61f088bbb096cb25860d2593d7dcc7efc44e3693dfd04d98a9c9b9

SHA512
ab4822036c8067cc91b148d3fd5cae431575da15eca9471cadfd1294745143c720cc926d2c7aa8e06359a0b3dac1a0e66c4e0ce147ec1ff836ec997d855ccdc8

Download Submit
C:\Users\Admin\AppData\Local\pvtOR\sdclt.exe
Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\ruP\WTSAPI32.dll
Filesize
988KB

MD5
ffdf0bba86de2efbbcb49263b72fc5d5

SHA1
98362a211fc87a8c68c55acf234441e28e504da7

SHA256
d1d9cbd0118beac7bd86be527a4ac573a1b509f9494dbb2a32e68ae7ae38ce9d

SHA512
ace93ab068a48a86f1e013635fe954cebb1eb67b5a5e4c7e38ede98324320ab219db221942e52b556bcb64dae05349020a58d2bba37d545cd0cd1cc3046c23be

Download Submit
C:\Users\Admin\AppData\Local\ruP\rdpshell.exe
Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
Filesize
1KB

MD5
166638517d0d966b76ec64f49989bc13

SHA1
c689512880f615a87db6b3fcce4ea29ec70900b8

SHA256
88f1b1cb0f51f39c9720a7b875f8a3d0a4516f6d4e7d998331b7c21878a114ea

SHA512
fbda8ac7c1a346971458e4980cfeacb38af74c537450deb78f0118d823c7125a4437037670e92e19d084cc9702af06908c54de522bfe92f332369e3c633af850

Download Submit
memory/2112-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2112-81-0x000002083E540000-0x000002083E547000-memory.dmp

Filesize
28KB

Download
memory/2720-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2720-64-0x0000029C79BA0000-0x0000029C79BA7000-memory.dmp

Filesize
28KB

Download
memory/3040-3-0x00000255FFCD0000-0x00000255FFCD7000-memory.dmp

Filesize
28KB

Download
memory/3040-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3040-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-4-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/3448-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-30-0x00007FF99D39A000-0x00007FF99D39B000-memory.dmp

Filesize
4KB

Download
memory/3448-31-0x0000000000C60000-0x0000000000C67000-memory.dmp

Filesize
28KB

Download
memory/3448-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-32-0x00007FF99EEF0000-0x00007FF99EF00000-memory.dmp

Filesize
64KB

Download
memory/3448-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4552-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4552-47-0x00000217F0110000-0x00000217F0117000-memory.dmp

Filesize
28KB

Download
memory/4552-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads