dridex | fa1fffa330bfe6478d3a53ffa67b6e24acb51f3f99582a740dca8593c0afc5b7

General

Target

ff148ec8e1536ee937ede7b13205c52d_JaffaCakes118.dll
Size

1.7MB
MD5

ff148ec8e1536ee937ede7b13205c52d
SHA1

af858e0fd33f98e6116193851fa1091f8861513b
SHA256

fa1fffa330bfe6478d3a53ffa67b6e24acb51f3f99582a740dca8593c0afc5b7
SHA512

20cacc370c125880a2e21f50ee1f624575974a3e5148b108d63c1b43957b75c8c44b1fd505f815dfbccfc04ea00a5ef7795c8af876d2e415554754b7db894744
SSDEEP

12288:HVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1p:ufP7fWsK5z9A+WGAW+V5SB6Ct4bnbp

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1220-5-0x0000000002E40000-0x0000000002E41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

TpmInit.exeSoundRecorder.exemmc.exe

pid process

2448 TpmInit.exe
2796 SoundRecorder.exe
2440 mmc.exe
Loads dropped DLL 7 IoCs

Processes:

TpmInit.exeSoundRecorder.exemmc.exe

pid process

1220
2448 TpmInit.exe
1220
2796 SoundRecorder.exe
1220
2440 mmc.exe
1220

pid	process
2448	TpmInit.exe
2796	SoundRecorder.exe
2440	mmc.exe

pid	process
1220
2448	TpmInit.exe
1220
2796	SoundRecorder.exe
1220
2440	mmc.exe
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\6vSl\\SOUNDR~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeTpmInit.exeSoundRecorder.exemmc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1220 wrote to memory of 2404	1220	TpmInit.exe
PID 1220 wrote to memory of 2404	1220	TpmInit.exe
PID 1220 wrote to memory of 2404	1220	TpmInit.exe
PID 1220 wrote to memory of 2448	1220	TpmInit.exe
PID 1220 wrote to memory of 2448	1220	TpmInit.exe
PID 1220 wrote to memory of 2448	1220	TpmInit.exe
PID 1220 wrote to memory of 2580	1220	SoundRecorder.exe
PID 1220 wrote to memory of 2580	1220	SoundRecorder.exe
PID 1220 wrote to memory of 2580	1220	SoundRecorder.exe
PID 1220 wrote to memory of 2796	1220	SoundRecorder.exe
PID 1220 wrote to memory of 2796	1220	SoundRecorder.exe
PID 1220 wrote to memory of 2796	1220	SoundRecorder.exe
PID 1220 wrote to memory of 2736	1220	mmc.exe
PID 1220 wrote to memory of 2736	1220	mmc.exe
PID 1220 wrote to memory of 2736	1220	mmc.exe
PID 1220 wrote to memory of 2440	1220	mmc.exe
PID 1220 wrote to memory of 2440	1220	mmc.exe
PID 1220 wrote to memory of 2440	1220	mmc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff148ec8e1536ee937ede7b13205c52d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:2404

C:\Users\Admin\AppData\Local\7K3\TpmInit.exe
C:\Users\Admin\AppData\Local\7K3\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2448

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2580

C:\Users\Admin\AppData\Local\cYLzTkx\SoundRecorder.exe
C:\Users\Admin\AppData\Local\cYLzTkx\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2796

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2736

C:\Users\Admin\AppData\Local\vdg\mmc.exe
C:\Users\Admin\AppData\Local\vdg\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2440

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7K3\ACTIVEDS.dll
Filesize
1.7MB

MD5
cca0d518ebe8102d22aea8b34fcfd76e

SHA1
2a347ccb9dea9e0fa869a19dabfcbfd7e4be6f1e

SHA256
28cdabc7554f1b46c92df8956b22a36dee077cf2250c1b94b4b22d2044355112

SHA512
57897c93670dd2a9287ca51e067aa04fd28ccb3c8efad44811faedf52a0c4d6bc68c71bb524f39387d9367daf29bef90cfc30482ed2f5fb743dbfd1e1f30f8a7

Download Submit
C:\Users\Admin\AppData\Local\7K3\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\cYLzTkx\WINMM.dll
Filesize
1.7MB

MD5
da9864b142d888ce1bf631cc610ff824

SHA1
70fa6f070af44797d107632fe8d0150155992ead

SHA256
84268e718760d30c55937470e13d31897e52deafe1f24691ad2a389085973baf

SHA512
3624314ca49f3b3073b8379974f6e14c25fd40a98f96624e3e241baacf7a1a0ac0641a17c98995d0f20daff413f9591ca982c5d9f4036efa843beb4b4478b011

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnk
Filesize
1KB

MD5
7928bc8a5966abfa74898c06522e9c29

SHA1
bcba413023ff3fb5ffa47576284759438c184963

SHA256
166c501dc819a19a0fe59ae827f9413a7afbe0994c578ccb478ec709ea7a44e9

SHA512
9891a60501084213df8d2b84a027660e5f7860e7666fbfa0910e0ab4b726eb45d110339f2920a8988d71654772344e0728bd72db5482461b68aa268c4be51224

Download Submit
\Users\Admin\AppData\Local\cYLzTkx\SoundRecorder.exe
Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
\Users\Admin\AppData\Local\vdg\MFC42u.dll
Filesize
1.8MB

MD5
a5a2847c438ad1fcf4427368cca7450c

SHA1
2f5fc0d74745f31cc7726648a62b95f6aec05ffe

SHA256
0e84ca4139dfbbcf10ed7c520a5b457a06e0312078133bb732cd03a8fe467261

SHA512
40eb71a2894fea6cd91ebc351ac537e0e0fb99b91e55a05e0ed70da8035398ea70330fa2ffa97fdf05f012841378d388e2e7902b3ad679f236308f30ce5affa3

Download Submit
\Users\Admin\AppData\Local\vdg\mmc.exe
Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
memory/1220-27-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-19-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-26-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-28-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-30-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-32-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-34-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-35-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-37-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-39-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-41-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-43-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-45-0x0000000002E20000-0x0000000002E27000-memory.dmp

Filesize
28KB

Download
memory/1220-42-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-51-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-52-0x0000000077BE1000-0x0000000077BE2000-memory.dmp

Filesize
4KB

Download
memory/1220-55-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/1220-40-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-38-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-36-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-33-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-31-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-29-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-4-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

Filesize
4KB

Download
memory/1220-25-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-23-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-20-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-24-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-17-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-16-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-14-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-13-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-11-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-10-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-7-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-62-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-65-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-71-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-22-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-21-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-140-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

Filesize
4KB

Download
memory/1220-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1220-9-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-12-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-15-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1220-18-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1684-8-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1684-1-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/1684-0-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/2440-119-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2448-86-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/2448-82-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2448-80-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/2796-98-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads