dridex | 11a95688e0ad5924bea8664e03a8ed114d16fc06323819e26e8481cb19bbae95

General

Target

b701e2b9d6cd0a2dcc4bf110bdcd5e65_JaffaCakes118.dll
Size

990KB
MD5

b701e2b9d6cd0a2dcc4bf110bdcd5e65
SHA1

93d31fc474daf3963b0664e3fadb47432469177d
SHA256

11a95688e0ad5924bea8664e03a8ed114d16fc06323819e26e8481cb19bbae95
SHA512

ac33c85628afaea0cf2f62829b0fe007004398176c4c42b9a19fdf9cef3441f106f292f83243871d91bae9127ce803cf0730ce70f110fbdb63dbc6ba712ecf50
SSDEEP

24576:vVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8Lt:vV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-5-0x00000000024D0000-0x00000000024D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mfpmp.exeBdeUISrv.exeTpmInit.exe

pid process

2636 mfpmp.exe
2180 BdeUISrv.exe
2552 TpmInit.exe
Loads dropped DLL 7 IoCs

Processes:

mfpmp.exeBdeUISrv.exeTpmInit.exe

pid process

1184
2636 mfpmp.exe
1184
2180 BdeUISrv.exe
1184
2552 TpmInit.exe
1184

pid	process
2636	mfpmp.exe
2180	BdeUISrv.exe
2552	TpmInit.exe

pid	process
1184
2636	mfpmp.exe
1184
2180	BdeUISrv.exe
1184
2552	TpmInit.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\PERJMX~1\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemfpmp.exeBdeUISrv.exeTpmInit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 2504	1184	mfpmp.exe
PID 1184 wrote to memory of 2504	1184	mfpmp.exe
PID 1184 wrote to memory of 2504	1184	mfpmp.exe
PID 1184 wrote to memory of 2636	1184	mfpmp.exe
PID 1184 wrote to memory of 2636	1184	mfpmp.exe
PID 1184 wrote to memory of 2636	1184	mfpmp.exe
PID 1184 wrote to memory of 1876	1184	BdeUISrv.exe
PID 1184 wrote to memory of 1876	1184	BdeUISrv.exe
PID 1184 wrote to memory of 1876	1184	BdeUISrv.exe
PID 1184 wrote to memory of 2180	1184	BdeUISrv.exe
PID 1184 wrote to memory of 2180	1184	BdeUISrv.exe
PID 1184 wrote to memory of 2180	1184	BdeUISrv.exe
PID 1184 wrote to memory of 2760	1184	TpmInit.exe
PID 1184 wrote to memory of 2760	1184	TpmInit.exe
PID 1184 wrote to memory of 2760	1184	TpmInit.exe
PID 1184 wrote to memory of 2552	1184	TpmInit.exe
PID 1184 wrote to memory of 2552	1184	TpmInit.exe
PID 1184 wrote to memory of 2552	1184	TpmInit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b701e2b9d6cd0a2dcc4bf110bdcd5e65_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\kdtsac\mfpmp.exe
C:\Users\Admin\AppData\Local\kdtsac\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:1876

C:\Users\Admin\AppData\Local\ur1YR\BdeUISrv.exe
C:\Users\Admin\AppData\Local\ur1YR\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2180

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:2760

C:\Users\Admin\AppData\Local\EjEPj\TpmInit.exe
C:\Users\Admin\AppData\Local\EjEPj\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EjEPj\ACTIVEDS.dll

Filesize
991KB

MD5
adfc4b20cf88b0b7517320f306535860

SHA1
5983a05b39b4947dbfe60a794d01a398f2f201a0

SHA256
ffcd781012bdd21119e5f5c13a31de45df3dcdf05b2447467665381375d8bc66

SHA512
a1e11f423062fad81659ee317b64233b865add5bcccea831e416637b8729dbf9187dc2d5bb96a8d1af41d3737c55916d88a5c23b223cfc31f92a4750ef4c06d2

Download Submit
C:\Users\Admin\AppData\Local\kdtsac\MFPlat.DLL

Filesize
995KB

MD5
d63f8b4812634062428120f7f005a1c4

SHA1
ab42f3a24f36845ff67efb1420465f24550e732f

SHA256
9291df359fdf9651629c828dfb77c5bcdc0c46e44525ca467c88128eb11495ce

SHA512
d13dcac8e57e29f91ea49be48509d038ca1f87135df8d15183e17713e350bcd37a42b4c1d23f6ea2d5dce501d727a74719ac164488aa29879183f8b3eb986e7a

Download Submit
C:\Users\Admin\AppData\Local\ur1YR\WTSAPI32.dll

Filesize
992KB

MD5
b5f1f9c0d138fec5a4888365c23e165c

SHA1
1d9bb3c5cb4223097c27f6d5a0ad37e26e34c188

SHA256
37c308c52fb0ccd72ca46049ec974b863136dcd9f71045d2095d950001db1936

SHA512
ee2936dcc917d869cdd1a83d1a3c05bfad98036aa9e90878c3853990028801eea2f0e8560df758d52c6c787828f2268a4d6513efd934eca9fa15050017d318dd

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk

Filesize
1KB

MD5
457bf8432557f666af18fbadc02e707f

SHA1
bcfb8f5cd837fc0c1503f7ac2e048c864145f546

SHA256
eec5d0fa451741d380c38f4a65674bb979e8bf976c42cbdd79b3b76cf0121441

SHA512
a8039ecfdd47260f56cac1901a07df800ecc3513e363950435afb4dd225ed00903afceaf9dad5b188060bd574633d44035f866128c4d93c8a8765848951bff29

Download Submit
\Users\Admin\AppData\Local\EjEPj\TpmInit.exe

Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\kdtsac\mfpmp.exe

Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\ur1YR\BdeUISrv.exe

Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
memory/1184-26-0x0000000077B50000-0x0000000077B52000-memory.dmp

Filesize
8KB

Download
memory/1184-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-25-0x00000000779C1000-0x00000000779C2000-memory.dmp

Filesize
4KB

Download
memory/1184-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-24-0x00000000024B0000-0x00000000024B7000-memory.dmp

Filesize
28KB

Download
memory/1184-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-4-0x00000000778B6000-0x00000000778B7000-memory.dmp

Filesize
4KB

Download
memory/1184-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1184-70-0x00000000778B6000-0x00000000778B7000-memory.dmp

Filesize
4KB

Download
memory/1184-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2180-71-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2180-76-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2548-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2548-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2548-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2552-91-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/2552-94-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2636-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2636-58-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2636-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads