dridex | 9ba56ae49d371b3a11923736585155a6fbfb169691d7740b2962c7ed2c60e026

General

Target

d6b9fdcac2da2a9cb9fe03e8634b03d3_JaffaCakes118.dll
Size

1.2MB
MD5

d6b9fdcac2da2a9cb9fe03e8634b03d3
SHA1

30f5b61c52d0ee263890edad76b0c4419a489b26
SHA256

9ba56ae49d371b3a11923736585155a6fbfb169691d7740b2962c7ed2c60e026
SHA512

69d9e6dc9ed6217b1a3ced3660471dcb5549da9635ccd6ae5d4314b91bbe4c75cb1a1e2db0f5a4f5d5bd2380a1d45a44a1f88bd5a5637e3bfb4b6e08975950cf
SSDEEP

24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3516-4-0x0000000007BF0000-0x0000000007BF1000-memory.dmp	dridex_stager_shellcode

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid	Process
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6b9fdcac2da2a9cb9fe03e8634b03d3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:1280

C:\Users\Admin\AppData\Local\oy9XXTg\raserver.exe
C:\Users\Admin\AppData\Local\oy9XXTg\raserver.exe
1⤵
PID:1968

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:676

C:\Users\Admin\AppData\Local\YnL\rdpclip.exe
C:\Users\Admin\AppData\Local\YnL\rdpclip.exe
1⤵
PID:2068

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:880

C:\Users\Admin\AppData\Local\e8dDgPK\FXSCOVER.exe
C:\Users\Admin\AppData\Local\e8dDgPK\FXSCOVER.exe
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\YnL\WINSTA.dll

Filesize
1.2MB

MD5
30a49e4e3a6af779b13c1caa86d973d8

SHA1
6983586dad243a16d2a29f3d46a394b9caf3e9df

SHA256
2ff6fe36a19295f667a4e70c11681f34739b9b342f12952ea8f719811f6b71a2

SHA512
440847d526e540cd3b0130c3cacf2fa2aa19e4db70348b20333f185d9a4f85a6246f91cbb7fefca1aeab23ad98a846795c5c624a1df11d9c62bc7664225f0d2c

Download Submit
C:\Users\Admin\AppData\Local\YnL\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Local\e8dDgPK\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\e8dDgPK\MFC42u.dll

Filesize
1.2MB

MD5
d48df9ac27886cfd7fcd291f3e5f9a40

SHA1
ead66180967fd0bd99c9d280d2f27049d99760fa

SHA256
febb41bfdc21fa9304c09180555f1befcc83d383a699858fe67d582021aa4dca

SHA512
e2367793040107e722ebaf3332874eaf8163da2d9ce7c952a70c678df70f45b51516a79017aed38f56498410fcf75eb03f83f821fb3ee3a4d5e834499e0e970c

Download Submit
C:\Users\Admin\AppData\Local\oy9XXTg\WTSAPI32.dll

Filesize
1.2MB

MD5
03aa8cc5b8971c86efc23d1fe9824f5b

SHA1
897c9db6468b18737d03c4fa48c3687986d37ff5

SHA256
f53075ba3bab344259ed5e5d8ababd34514d7d602b9b7870a6cba216cd9aa120

SHA512
5667de733d8fdae352dc02258ef31cda03efe9889a17201b2299170ec7fa53194a87786429821349547adb353cff670b68055bd334f2b07187dc1ceade3a8f4f

Download Submit
C:\Users\Admin\AppData\Local\oy9XXTg\raserver.exe

Filesize
132KB

MD5
d1841c6ee4ea45794ced131d4b68b60e

SHA1
4be6d2116060d7c723ac2d0b5504efe23198ea01

SHA256
38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

SHA512
d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
998B

MD5
a36786a356b71464f9fe0598657e9df6

SHA1
14754a9e62de5dd139fe1923ff508c314650465e

SHA256
48ea5e415bf04ebe6b13632d08e60afdf85b146edd24638805fd1607780dcf44

SHA512
79a64b66013f2b33750f9a3f9028e006c43535de47ac9a91dda34146a2d3a32a1b4389b19ee49392974f21c093af83f078d738a8b2893881559261b2ca35afc1

Download Submit
memory/1436-85-0x00007FFE50150000-0x00007FFE50288000-memory.dmp

Filesize
1.2MB

Download
memory/1436-80-0x00007FFE50150000-0x00007FFE50288000-memory.dmp

Filesize
1.2MB

Download
memory/1436-79-0x0000022416120000-0x0000022416127000-memory.dmp

Filesize
28KB

Download
memory/1968-45-0x000001610CD90000-0x000001610CD97000-memory.dmp

Filesize
28KB

Download
memory/1968-51-0x00007FFE50150000-0x00007FFE50282000-memory.dmp

Filesize
1.2MB

Download
memory/1968-46-0x00007FFE50150000-0x00007FFE50282000-memory.dmp

Filesize
1.2MB

Download
memory/2068-68-0x00007FFE50150000-0x00007FFE50283000-memory.dmp

Filesize
1.2MB

Download
memory/2068-63-0x00007FFE50150000-0x00007FFE50283000-memory.dmp

Filesize
1.2MB

Download
memory/2068-62-0x000002626DCC0000-0x000002626DCC7000-memory.dmp

Filesize
28KB

Download
memory/3148-1-0x00007FFE5F860000-0x00007FFE5F991000-memory.dmp

Filesize
1.2MB

Download
memory/3148-0-0x0000028A7F550000-0x0000028A7F557000-memory.dmp

Filesize
28KB

Download
memory/3148-38-0x00007FFE5F860000-0x00007FFE5F991000-memory.dmp

Filesize
1.2MB

Download
memory/3516-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-4-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/3516-5-0x00007FFE6E66A000-0x00007FFE6E66B000-memory.dmp

Filesize
4KB

Download
memory/3516-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-27-0x0000000007250000-0x0000000007257000-memory.dmp

Filesize
28KB

Download
memory/3516-29-0x00007FFE6EB90000-0x00007FFE6EBA0000-memory.dmp

Filesize
64KB

Download
memory/3516-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads