dridex | 893c6b1a99692b33d87026ffbebdf704ef73ff6e57f7ce63f052c69e46c45be0

General

Target

74260b155b21a125401299cde0f919d9_JaffaCakes118.dll
Size

1.2MB
MD5

74260b155b21a125401299cde0f919d9
SHA1

e2b255836bae725973564e17ac81c1873ab4556c
SHA256

893c6b1a99692b33d87026ffbebdf704ef73ff6e57f7ce63f052c69e46c45be0
SHA512

946f010484020da26521fc3c82ff52c9602b6741cb3f112a9ba24411f15102a80393549bc05d2b1b553af41c104d1548a47e1204a377fde5eb84c101da950b83
SSDEEP

24576:juYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:N9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002ED0000-0x0000000002ED1000-memory.dmp	dridex_stager_shellcode

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
1204	Process not Found
1204	Process not Found

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\74260b155b21a125401299cde0f919d9_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:556

C:\Users\Admin\AppData\Local\Qs03A\eudcedit.exe
C:\Users\Admin\AppData\Local\Qs03A\eudcedit.exe
1⤵
PID:984

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:1840

C:\Users\Admin\AppData\Local\7k2s1h\msra.exe
C:\Users\Admin\AppData\Local\7k2s1h\msra.exe
1⤵
PID:1452

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:380

C:\Users\Admin\AppData\Local\A0GOPu0Q\rdpshell.exe
C:\Users\Admin\AppData\Local\A0GOPu0Q\rdpshell.exe
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7k2s1h\UxTheme.dll

Filesize
1.2MB

MD5
59466363ec5e3249e71df8250f155ec6

SHA1
66acdfe2ccb43810bb22a3d1f3b402924be6f631

SHA256
583f35c76d1a3a4fcdf06c918f15ab126760f71e1ada7d2ac9877ca589a3378d

SHA512
464dcee4a4d650edc8c6e04b8b0e6a80ad4930bf7ea2501f9137600d5c767e9c15b58b29226f3e22d23162c369a6eec56583a170d5414881dc39bc6298d406c2

Download Submit
C:\Users\Admin\AppData\Local\7k2s1h\msra.exe

Filesize
636KB

MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
C:\Users\Admin\AppData\Local\A0GOPu0Q\rdpshell.exe

Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
C:\Users\Admin\AppData\Local\Qs03A\eudcedit.exe

Filesize
351KB

MD5
35e397d6ca8407b86d8a7972f0c90711

SHA1
6b39830003906ef82442522d22b80460c03f6082

SHA256
1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

SHA512
71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk

Filesize
1KB

MD5
203f944025b1bd8f74c0f05ae719aed8

SHA1
3b94f4e050c8e161630d6ba7953a01d370800924

SHA256
22d97ffc9c448906542089a167d0c9c1d66048ddc01c08d4dbce01979d4d9dfb

SHA512
051533be01e3e10d79a164371b409e7880ef2b17158f6d3037ae1f4be0a3913b1d94c89553c31e2c4b1a5f704cccc8304fe95c78cd49e2e2a2dcc5896570b888

Download Submit
\Users\Admin\AppData\Local\A0GOPu0Q\WINSTA.dll

Filesize
1.2MB

MD5
c46b1c4a119f94c5e7548f039692f078

SHA1
31c72d21020541266be4b90afdbda58a2f45d4dd

SHA256
09885d252ba8cfed77121607d0e086c6229678ab7a009c62e4db7583acc71887

SHA512
a8c8ecdbd65d71ca9b544b7c0445df91068a5af6f3d8ce9d719191144ccaf5c25e187573dfb215d110434c74291b799eb9ad77684caf3873c23d14a8fe0f7a6e

Download Submit
\Users\Admin\AppData\Local\Qs03A\MFC42u.dll

Filesize
1.2MB

MD5
33e1ffed0e0f6f5d45bf955b1645b8c3

SHA1
88a6d8837cddecd0728fa8dfad0e38752fdb192a

SHA256
9503f245e1a4c72f91361b5f680638f5ae8825021405dcfad1f013ac0da6ee49

SHA512
e7d4361339b13bc0793fb56ecc941854a8d4ec8cc0dd3812f37534daae91d70eac7296b9d6c686f5d526dbde4c714e2022065662a69ba1b59576a8a5c432a666

Download Submit
memory/984-54-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/984-55-0x000007FEF7CD0000-0x000007FEF7E08000-memory.dmp

Filesize
1.2MB

Download
memory/984-59-0x000007FEF7CD0000-0x000007FEF7E08000-memory.dmp

Filesize
1.2MB

Download
memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-4-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1204-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-5-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-19-0x0000000002EB0000-0x0000000002EB7000-memory.dmp

Filesize
28KB

Download
memory/1204-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-39-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-27-0x00000000778F1000-0x00000000778F2000-memory.dmp

Filesize
4KB

Download
memory/1204-69-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1204-28-0x0000000077A80000-0x0000000077A82000-memory.dmp

Filesize
8KB

Download
memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1452-77-0x000007FEF7BA0000-0x000007FEF7CD2000-memory.dmp

Filesize
1.2MB

Download
memory/1452-80-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1452-82-0x000007FEF7BA0000-0x000007FEF7CD2000-memory.dmp

Filesize
1.2MB

Download
memory/2704-46-0x000007FEF7B90000-0x000007FEF7CC1000-memory.dmp

Filesize
1.2MB

Download
memory/2704-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2704-0-0x000007FEF7B90000-0x000007FEF7CC1000-memory.dmp

Filesize
1.2MB

Download
memory/2908-121-0x000007FEF7BA0000-0x000007FEF7CD3000-memory.dmp

Filesize
1.2MB

Download
memory/2908-119-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/2908-116-0x000007FEF7BA0000-0x000007FEF7CD3000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing