dridex | b6118f4e271962f340a7db112f550eacd9350522cf18c5cac9254b2529e87a76

General

Target

0cc4d29808e05957526c4893bffd6aeb_JaffaCakes118.dll
Size

1.2MB
MD5

0cc4d29808e05957526c4893bffd6aeb
SHA1

fa50605e089ba9fea19c9fd354ed10f502d67e9c
SHA256

b6118f4e271962f340a7db112f550eacd9350522cf18c5cac9254b2529e87a76
SHA512

8ec75b8724a5bd3eccdd825c671f0f401a80cef33d745741fdb2b4bced8507ae71b12cf7a7e2e422a540f7c79320a51d3357deb748fc4d9e8ab036732d58a4b1
SSDEEP

24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:iV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1068-5-0x0000000002F00000-0x0000000002F01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SndVol.exeSystemPropertiesHardware.exeosk.exe

pid process

2392 SndVol.exe
1264 SystemPropertiesHardware.exe
1772 osk.exe
Loads dropped DLL 7 IoCs

Processes:

SndVol.exeSystemPropertiesHardware.exeosk.exe

pid process

1068
2392 SndVol.exe
1068
1264 SystemPropertiesHardware.exe
1068
1772 osk.exe
1068

pid	process
2392	SndVol.exe
1264	SystemPropertiesHardware.exe
1772	osk.exe

pid	process
1068
2392	SndVol.exe
1068
1264	SystemPropertiesHardware.exe
1068
1772	osk.exe
1068

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Fy\\SystemPropertiesHardware.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSndVol.exeSystemPropertiesHardware.exeosk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1068 wrote to memory of 2444	1068	SndVol.exe
PID 1068 wrote to memory of 2444	1068	SndVol.exe
PID 1068 wrote to memory of 2444	1068	SndVol.exe
PID 1068 wrote to memory of 2392	1068	SndVol.exe
PID 1068 wrote to memory of 2392	1068	SndVol.exe
PID 1068 wrote to memory of 2392	1068	SndVol.exe
PID 1068 wrote to memory of 1244	1068	SystemPropertiesHardware.exe
PID 1068 wrote to memory of 1244	1068	SystemPropertiesHardware.exe
PID 1068 wrote to memory of 1244	1068	SystemPropertiesHardware.exe
PID 1068 wrote to memory of 1264	1068	SystemPropertiesHardware.exe
PID 1068 wrote to memory of 1264	1068	SystemPropertiesHardware.exe
PID 1068 wrote to memory of 1264	1068	SystemPropertiesHardware.exe
PID 1068 wrote to memory of 2640	1068	osk.exe
PID 1068 wrote to memory of 2640	1068	osk.exe
PID 1068 wrote to memory of 2640	1068	osk.exe
PID 1068 wrote to memory of 1772	1068	osk.exe
PID 1068 wrote to memory of 1772	1068	osk.exe
PID 1068 wrote to memory of 1772	1068	osk.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0cc4d29808e05957526c4893bffd6aeb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2444

C:\Users\Admin\AppData\Local\JwV\SndVol.exe
C:\Users\Admin\AppData\Local\JwV\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2392

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\jPqHim\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\jPqHim\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1264

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\CdDy1hi\osk.exe
C:\Users\Admin\AppData\Local\CdDy1hi\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1772

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CdDy1hi\MSSWCH.dll
Filesize
1.2MB

MD5
3eb0ab6d23776e6621feac98ef818b2b

SHA1
00edc0251bf4a5a97cd819ffe8c8d8354e8aa046

SHA256
53988344fbdf8e4b0cb78ddcb29e3e48903912d73062f12723e9d7a2e4090b14

SHA512
dbff0027c2ecc808c838be5d731f64fb1a9f4ba7a2dc8632b58d8d359255cc4887897d21c786587a44c1e8329169627075ef1b0faac1f8333e12a1deaa1c843b

Download Submit
C:\Users\Admin\AppData\Local\JwV\dwmapi.dll
Filesize
1.2MB

MD5
b07052c919b76e4522aa7a713de87838

SHA1
022ce345a2ac0b8c89a6b1be04122e20ffca8532

SHA256
6a9f96c21f64bb68fedb7784223e098f013a88e0a6f506f65065d836aa5b88fb

SHA512
7ed6666a4169a64b06e39efed36601493bd1c83e08ec8eaefb80aad0944b81542c60d9cc04db797b1df14211fb7a68f598f26f441f1b1e951e91fda5e488a58c

Download Submit
C:\Users\Admin\AppData\Local\jPqHim\SYSDM.CPL
Filesize
1.2MB

MD5
3711ea565d6b0fb93046fc2bcdbb45bc

SHA1
c30adc6b35be3d809802e6e48890f34ed88cb262

SHA256
34e2853576ef96de5c38df19dca7923a4505b88eeee5de14e513a38464d8570a

SHA512
0604beccd7a47dcfaa2ad3e5b97a6129e7d2911edba7d70cd998dcee004f291cf7847c20c0154ece767a404b88854ca03f79d5e77fef0b59f16346d5e5d0d240

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnk
Filesize
1KB

MD5
d3fa60a4d4875d8a6fe00d5c397635ff

SHA1
ec7c6ee32f8187bf842eb35d14c5cc4781ff9f08

SHA256
a2dda4fe4aa692d77373e4e3137729a404b264ed04ee35800f538dfcb43e8db8

SHA512
99d2b481295ffb772feb13a00e1f669a0e9211dd31c7d3ae991b423658a2e579a3cb79dff4d900f9ba3f900f13668f306fbc48fe775e424256119cbe939aa55c

Download Submit
\Users\Admin\AppData\Local\CdDy1hi\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\JwV\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\jPqHim\SystemPropertiesHardware.exe
Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
memory/1068-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-65-0x00000000774C6000-0x00000000774C7000-memory.dmp

Filesize
4KB

Download
memory/1068-26-0x0000000002EE0000-0x0000000002EE7000-memory.dmp

Filesize
28KB

Download
memory/1068-27-0x00000000776D1000-0x00000000776D2000-memory.dmp

Filesize
4KB

Download
memory/1068-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-4-0x00000000774C6000-0x00000000774C7000-memory.dmp

Filesize
4KB

Download
memory/1068-31-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1068-37-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-38-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-5-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1068-25-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1068-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1264-73-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1264-79-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1772-96-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2196-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2196-3-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/2196-0-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2392-60-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2392-57-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/2392-54-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads