dridex | c2bcb7fc70fedc285ef4250a1244ece0a6455aca49bf76ee6bdd1e9add01ed28

General

Target

b7a2e00a6f0a560d3230fb624e59871b_JaffaCakes118.dll
Size

1.2MB
MD5

b7a2e00a6f0a560d3230fb624e59871b
SHA1

7377a79136e1d9787cd431f389419865cb2bc086
SHA256

c2bcb7fc70fedc285ef4250a1244ece0a6455aca49bf76ee6bdd1e9add01ed28
SHA512

bd3cda925d1a12d1694408992eaa7c2591837a9ccdc318bda2cf4ce742abb420bc1a02928099d7a1115651d54d153d6e202bb9e7a00217b64e187d572c4fba1c
SSDEEP

24576:AVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8I:AV8hf6STw1ZlQauvzSq01ICe6zvmt

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-6-0x0000000002710000-0x0000000002711000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

javaws.exefveprompt.exerdpshell.exe

pid process

2652 javaws.exe
672 fveprompt.exe
1080 rdpshell.exe
Loads dropped DLL 7 IoCs

Processes:

javaws.exefveprompt.exerdpshell.exe

pid process

1196
2652 javaws.exe
1196
672 fveprompt.exe
1196
1080 rdpshell.exe
1196

pid	process
2652	javaws.exe
672	fveprompt.exe
1080	rdpshell.exe

pid	process
1196
2652	javaws.exe
1196
672	fveprompt.exe
1196
1080	rdpshell.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gqwtkfbnxxlbs = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\LGivlhm5\\fveprompt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fveprompt.exerdpshell.exerundll32.exejavaws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2196	1196	javaws.exe
PID 1196 wrote to memory of 2196	1196	javaws.exe
PID 1196 wrote to memory of 2196	1196	javaws.exe
PID 1196 wrote to memory of 2652	1196	javaws.exe
PID 1196 wrote to memory of 2652	1196	javaws.exe
PID 1196 wrote to memory of 2652	1196	javaws.exe
PID 1196 wrote to memory of 264	1196	fveprompt.exe
PID 1196 wrote to memory of 264	1196	fveprompt.exe
PID 1196 wrote to memory of 264	1196	fveprompt.exe
PID 1196 wrote to memory of 672	1196	fveprompt.exe
PID 1196 wrote to memory of 672	1196	fveprompt.exe
PID 1196 wrote to memory of 672	1196	fveprompt.exe
PID 1196 wrote to memory of 1724	1196	rdpshell.exe
PID 1196 wrote to memory of 1724	1196	rdpshell.exe
PID 1196 wrote to memory of 1724	1196	rdpshell.exe
PID 1196 wrote to memory of 1080	1196	rdpshell.exe
PID 1196 wrote to memory of 1080	1196	rdpshell.exe
PID 1196 wrote to memory of 1080	1196	rdpshell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7a2e00a6f0a560d3230fb624e59871b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:2196

C:\Users\Admin\AppData\Local\d5D7\javaws.exe
C:\Users\Admin\AppData\Local\d5D7\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2652

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:264

C:\Users\Admin\AppData\Local\lVA\fveprompt.exe
C:\Users\Admin\AppData\Local\lVA\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:672

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:1724

C:\Users\Admin\AppData\Local\GGt\rdpshell.exe
C:\Users\Admin\AppData\Local\GGt\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1080

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GGt\WTSAPI32.dll
Filesize
1.2MB

MD5
dcb19328843592ca81b64dad8833e7d4

SHA1
b4c40ba380449536fd54aa7c1ec779f7c16a9dd6

SHA256
9f7faf98026df732f716c286bfbb35b4e109706a3a669674c5d2ebfafb55c3ae

SHA512
c20f6df56ed9c205a122e47f00f111764da72d60e547c864391d3214279fdcfdbc80b7c60d0ff7c3da7c7271b71343b5e73fc1e0f260ad9c3d30c00fed6bb584

Download Submit
C:\Users\Admin\AppData\Local\d5D7\VERSION.dll
Filesize
1.2MB

MD5
cebb358d3207346e5eea8c7d8c2db521

SHA1
18f14a0d845ec709ce87fb7276419c623f965f74

SHA256
207725167293c9872bd300cabafe0236e4a1d26269df4ebbad4104fee2f9bed7

SHA512
b739b722031805be613a984999bdac7da2add488738c1733bc5e9caab508d8702f5ff5d365ad377665682232fca76cc227569cc12198dd5363b3a98c8de3e0cb

Download Submit
C:\Users\Admin\AppData\Local\lVA\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
C:\Users\Admin\AppData\Local\lVA\slc.dll
Filesize
1.2MB

MD5
9fa14b61e0700f6aa9e70003e217dbd1

SHA1
6d08ee7d8a37a089406def3246796786f5426056

SHA256
dd9cad9395707ffcce9d89971141349056ddc177f79ebc59ab91f1a3ec7633f9

SHA512
2d1c2326ac6410a5d9d287635d274c7312ec2ac3df83c6f752125ad08451ab120a89ba1eb0ca4c12ca3bf84554bdaeccf24b4bd806d4b7bc438759fb831d16ee

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnk
Filesize
1KB

MD5
9358a26ddcdd1e5df4565db2eaeedb60

SHA1
204e0efc3a981bd830a06f1580fddcc882962722

SHA256
52992a6fcf0aa87c50631532182f304bd37a581b7691c277ba81fe021d490960

SHA512
16f4c79b3c289c801df665f9b63144e858d6451ce4bcf2b5ed569b4c5ca43e2834e39e39bb8dae48d781399c4e62ceb0afaa1c9ea78ee720e1b1ede729c1d198

Download Submit
\Users\Admin\AppData\Local\GGt\rdpshell.exe
Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
\Users\Admin\AppData\Local\d5D7\javaws.exe
Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
memory/672-77-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/672-71-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1080-95-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1080-89-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1196-63-0x0000000077A36000-0x0000000077A37000-memory.dmp

Filesize
4KB

Download
memory/1196-28-0x0000000077CD0000-0x0000000077CD2000-memory.dmp

Filesize
8KB

Download
memory/1196-10-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-9-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-24-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-4-0x0000000077A36000-0x0000000077A37000-memory.dmp

Filesize
4KB

Download
memory/1196-36-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-35-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-12-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-13-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-6-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-8-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-14-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1196-15-0x00000000026F0000-0x00000000026F7000-memory.dmp

Filesize
28KB

Download
memory/1196-27-0x0000000077B41000-0x0000000077B42000-memory.dmp

Filesize
4KB

Download
memory/1196-11-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2312-1-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2312-42-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2312-0-0x0000000000520000-0x0000000000527000-memory.dmp

Filesize
28KB

Download
memory/2652-58-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2652-53-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2652-52-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads