dridex | 64f22c7a2ed309028e20b2fbe5fe093112ee81893877c6308846342020c855b7

General

Target

aa742ad016ba5eda435c40d9f81a71b3_JaffaCakes118.dll
Size

987KB
MD5

aa742ad016ba5eda435c40d9f81a71b3
SHA1

65b0997bc86db191897e2a157be2534aa2edac28
SHA256

64f22c7a2ed309028e20b2fbe5fe093112ee81893877c6308846342020c855b7
SHA512

105cf6705de994afe6ad873f2a30641edf9e7795e9e4bb3cc5f35fff7a0d430b854d1689972fc60d1038972a408281b6d4e5dd429f87f0b5ab6ce07a9f1adcb2
SSDEEP

24576:YVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8W:YV8hf6STw1ZlQauvzSq01ICe6zvmN

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3384-4-0x0000000002CD0000-0x0000000002CD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

RdpSaUacHelper.exeBitLockerWizardElev.exerdpclip.exe

pid process

3596 RdpSaUacHelper.exe
1676 BitLockerWizardElev.exe
3076 rdpclip.exe
Loads dropped DLL 3 IoCs

Processes:

RdpSaUacHelper.exeBitLockerWizardElev.exerdpclip.exe

pid process

3596 RdpSaUacHelper.exe
1676 BitLockerWizardElev.exe
3076 rdpclip.exe

pid	process
3596	RdpSaUacHelper.exe
1676	BitLockerWizardElev.exe
3076	rdpclip.exe

pid	process
3596	RdpSaUacHelper.exe
1676	BitLockerWizardElev.exe
3076	rdpclip.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\N4\\BitLockerWizardElev.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizardElev.exerdpclip.exerundll32.exeRdpSaUacHelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
1348	rundll32.exe
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3384
3384
3384
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3384
3384
3384

pid	process
3384
3384
3384

pid	process
3384
3384
3384

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3384 wrote to memory of 3024	3384	RdpSaUacHelper.exe
PID 3384 wrote to memory of 3024	3384	RdpSaUacHelper.exe
PID 3384 wrote to memory of 3596	3384	RdpSaUacHelper.exe
PID 3384 wrote to memory of 3596	3384	RdpSaUacHelper.exe
PID 3384 wrote to memory of 3096	3384	BitLockerWizardElev.exe
PID 3384 wrote to memory of 3096	3384	BitLockerWizardElev.exe
PID 3384 wrote to memory of 1676	3384	BitLockerWizardElev.exe
PID 3384 wrote to memory of 1676	3384	BitLockerWizardElev.exe
PID 3384 wrote to memory of 3088	3384	rdpclip.exe
PID 3384 wrote to memory of 3088	3384	rdpclip.exe
PID 3384 wrote to memory of 3076	3384	rdpclip.exe
PID 3384 wrote to memory of 3076	3384	rdpclip.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa742ad016ba5eda435c40d9f81a71b3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:3024

C:\Users\Admin\AppData\Local\Lj8gt\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\Lj8gt\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3596

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:3096

C:\Users\Admin\AppData\Local\RhEEin\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\RhEEin\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:3088

C:\Users\Admin\AppData\Local\zDn1Eb16v\rdpclip.exe
C:\Users\Admin\AppData\Local\zDn1Eb16v\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3076

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Lj8gt\RdpSaUacHelper.exe
Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\Lj8gt\WINSTA.dll
Filesize
994KB

MD5
3317eca7f008498befdeeb4fa5112d72

SHA1
92d46a597edfbad35e14337e9e0f009b85176fd3

SHA256
ac6fed87285b984e7c170e5dd1b1d4b8e73426cb28cad49df5a52df25128ea8f

SHA512
a23460e82f724eedba6ce511fc6a65e0204f9b2a80efbce38630d57222122329238c809aad53bf43bfee87b36ebb54b10bb4429134ece722c38a2465af0ea6b5

Download Submit
C:\Users\Admin\AppData\Local\RhEEin\BitLockerWizardElev.exe
Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\RhEEin\FVEWIZ.dll
Filesize
990KB

MD5
bca622476c361ec71c5b3d4d0069ba89

SHA1
a61375c743c69a2772bada2d4ce6dcb0f8910c21

SHA256
5e7a3134cddfae1cfe891140fa2d2a91d8b61c1e2d9b8a665bdbb9535cfc7c25

SHA512
3ea760a9fa93d6b68de23cf6ca784c183686e3addd2dcab449b3cbfe4b3c76ff5ab914fb27f5c2cc6f8ae922716121235d952d4755893dae402cc4a2fd3336a8

Download Submit
C:\Users\Admin\AppData\Local\zDn1Eb16v\WINSTA.dll
Filesize
994KB

MD5
296bd9f99ba287cabe4ffac8fc434dd0

SHA1
ff8f6fda0d38d67ade42e77b6958e29bd1ea5428

SHA256
b94880f956742b64b3c1fa34974834d62ba6ff67858316347956ebd666fcbca1

SHA512
b9bc03711831b30f566269e2d99059646a42e3712de412e7047ac60af18016d96793bc0b7daa2e8d5210d979824cdb5de36cb92e8af76f9849dadc820382f35c

Download Submit
C:\Users\Admin\AppData\Local\zDn1Eb16v\rdpclip.exe
Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
af9a73186793123a5ccc656ca208cfb8

SHA1
7ee5c4db149eaf5a4361058d64ab5a42f43fa080

SHA256
2c6e0975b6b6f30b7e82da04a06be0f7ede746437735a71cf6808fefd0abc0a6

SHA512
e89c94e2085843008104e7c9f9c1eb91d464b8d156db1883f5c674e316ee218b4a4a406e8bd019a9b885815debc1536a9ca8c22c30d053cbb4778b5e3115eb5b

Download Submit
memory/1348-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1348-3-0x000001D29FEE0000-0x000001D29FEE7000-memory.dmp

Filesize
28KB

Download
memory/1348-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1676-62-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1676-61-0x00000264A3E30000-0x00000264A3E37000-memory.dmp

Filesize
28KB

Download
memory/1676-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3076-84-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3076-81-0x00000196EA3C0000-0x00000196EA3C7000-memory.dmp

Filesize
28KB

Download
memory/3384-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-26-0x00007FFA208BA000-0x00007FFA208BB000-memory.dmp

Filesize
4KB

Download
memory/3384-4-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3384-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-27-0x0000000002C80000-0x0000000002C87000-memory.dmp

Filesize
28KB

Download
memory/3384-28-0x00007FFA21790000-0x00007FFA217A0000-memory.dmp

Filesize
64KB

Download
memory/3384-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3384-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3596-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3596-44-0x0000028301250000-0x0000028301257000-memory.dmp

Filesize
28KB

Download
memory/3596-45-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads