dridex | 997d7cb2cc9b826d90e614f7f65398727a87682c4bdcde9dc34538db1bfdb334

General

Target

f7be1eab255e2a375ea6beedd7d8a764_JaffaCakes118.dll
Size

1.2MB
MD5

f7be1eab255e2a375ea6beedd7d8a764
SHA1

64eb172fc246f70cf745e0a25fd74276fa7faf33
SHA256

997d7cb2cc9b826d90e614f7f65398727a87682c4bdcde9dc34538db1bfdb334
SHA512

2ca17e868ab645f3619fe9a74165989f513e403a38d84e430caf43ef432595699d74149a010f7d6b5b17f6f275c7c26dd8743c92ba670859d5bd02e4c73ef3a8
SSDEEP

24576:LuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:V9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-5-0x0000000002D80000-0x0000000002D81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpshell.exeiexpress.execmstp.exe

pid process

2928 rdpshell.exe
2684 iexpress.exe
1532 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

rdpshell.exeiexpress.execmstp.exe

pid process

1208
2928 rdpshell.exe
1208
2684 iexpress.exe
1208
1532 cmstp.exe
1208

pid	process
2928	rdpshell.exe
2684	iexpress.exe
1532	cmstp.exe

pid	process
1208
2928	rdpshell.exe
1208
2684	iexpress.exe
1208
1532	cmstp.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\RYZKHO~1\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpshell.exeiexpress.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2104	rundll32.exe
2104	rundll32.exe
2104	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2996	1208	rdpshell.exe
PID 1208 wrote to memory of 2996	1208	rdpshell.exe
PID 1208 wrote to memory of 2996	1208	rdpshell.exe
PID 1208 wrote to memory of 2928	1208	rdpshell.exe
PID 1208 wrote to memory of 2928	1208	rdpshell.exe
PID 1208 wrote to memory of 2928	1208	rdpshell.exe
PID 1208 wrote to memory of 2636	1208	iexpress.exe
PID 1208 wrote to memory of 2636	1208	iexpress.exe
PID 1208 wrote to memory of 2636	1208	iexpress.exe
PID 1208 wrote to memory of 2684	1208	iexpress.exe
PID 1208 wrote to memory of 2684	1208	iexpress.exe
PID 1208 wrote to memory of 2684	1208	iexpress.exe
PID 1208 wrote to memory of 2436	1208	cmstp.exe
PID 1208 wrote to memory of 2436	1208	cmstp.exe
PID 1208 wrote to memory of 2436	1208	cmstp.exe
PID 1208 wrote to memory of 1532	1208	cmstp.exe
PID 1208 wrote to memory of 1532	1208	cmstp.exe
PID 1208 wrote to memory of 1532	1208	cmstp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7be1eab255e2a375ea6beedd7d8a764_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2996

C:\Users\Admin\AppData\Local\zqv\rdpshell.exe
C:\Users\Admin\AppData\Local\zqv\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2928

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2636

C:\Users\Admin\AppData\Local\299DyTW\iexpress.exe
C:\Users\Admin\AppData\Local\299DyTW\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2684

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2436

C:\Users\Admin\AppData\Local\o9BJEyRa\cmstp.exe
C:\Users\Admin\AppData\Local\o9BJEyRa\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\299DyTW\VERSION.dll

Filesize
1.2MB

MD5
22d816b40c264a3c7251ac112423c80c

SHA1
d3a70493360851e2ae482b1945d0468329f81486

SHA256
924384ba58586b581c1f7f9fd9f838c83f02b9943575b5e7550c36dcd37066a3

SHA512
907c0633cb697c12e16407c5613dcc5c2adccffb999c573a544fb01da18a88658a251c127308d1049c85fb42511d6401207f298469d27afa73379603cce4de41

Download Submit
C:\Users\Admin\AppData\Local\299DyTW\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
C:\Users\Admin\AppData\Local\o9BJEyRa\VERSION.dll

Filesize
1.2MB

MD5
1d5e154fd833b00f478bd6a297829b64

SHA1
5788fb91ed75f0d73d5acb4849a79d5d5206d03c

SHA256
6296ed1c89ac090232a0c9542aa8f9c890ed5caf561641338344e582f9855d2c

SHA512
02a55cc9923fe36cf04496f325f71c45227dcb38e958957d1844daf8aaab29ee66531dfcf47ec65f2dd65903290bb372154c35cf379797de9a6005e8c9b4b2e9

Download Submit
C:\Users\Admin\AppData\Local\zqv\WTSAPI32.dll

Filesize
1.2MB

MD5
5948fd3f8c7fd4c282df907cc6d45299

SHA1
9ea8920b23c01b05e5893bd2f5bbcd08736a32aa

SHA256
dc0e5c9b47385b9981d8d9dbaca350c9bd30fc18a3f14f7c6573afb613998e46

SHA512
0f0ce2560543a2fee88d3c326f68f0b09a586a65131ff680e3b84a2d79024696ed0b0ce898eae7f24c00ec5a12e778ac8701084399d55fd88303e5f46b480a2e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
892B

MD5
3fde6309ed0bae2f96698e40729d67ca

SHA1
b97aeff6d6692b5fa6185416abc7cb52d032d554

SHA256
5d0167bfa3801acf25fe88b713bf4aa95ce1077cb9a317054e22c0377ebe08d8

SHA512
6cf233a9bd9cd652459dc7bf9254af8431f8c85b92060679c70fe7d8f6b791d6a83fdd409d46bcc8171bf78c80f5bf60a0f8a49a030763981aa0618a90598102

Download Submit
\Users\Admin\AppData\Local\o9BJEyRa\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\zqv\rdpshell.exe

Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
memory/1208-27-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

Filesize
28KB

Download
memory/1208-29-0x0000000077790000-0x0000000077792000-memory.dmp

Filesize
8KB

Download
memory/1208-4-0x00000000774F6000-0x00000000774F7000-memory.dmp

Filesize
4KB

Download
memory/1208-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-33-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-32-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1208-42-0x00000000774F6000-0x00000000774F7000-memory.dmp

Filesize
4KB

Download
memory/1208-28-0x0000000077601000-0x0000000077602000-memory.dmp

Filesize
4KB

Download
memory/1208-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1532-86-0x000007FEF6680000-0x000007FEF67B1000-memory.dmp

Filesize
1.2MB

Download
memory/1532-91-0x000007FEF6680000-0x000007FEF67B1000-memory.dmp

Filesize
1.2MB

Download
memory/2104-41-0x000007FEF6690000-0x000007FEF67C0000-memory.dmp

Filesize
1.2MB

Download
memory/2104-0-0x000007FEF6690000-0x000007FEF67C0000-memory.dmp

Filesize
1.2MB

Download
memory/2104-1-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2684-68-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2684-69-0x000007FEF61B0000-0x000007FEF62E1000-memory.dmp

Filesize
1.2MB

Download
memory/2684-74-0x000007FEF61B0000-0x000007FEF62E1000-memory.dmp

Filesize
1.2MB

Download
memory/2928-54-0x000007FEF6D10000-0x000007FEF6E41000-memory.dmp

Filesize
1.2MB

Download
memory/2928-51-0x000007FEF6D10000-0x000007FEF6E41000-memory.dmp

Filesize
1.2MB

Download
memory/2928-50-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads