dridex | d7f0e30e4f02bdda1c4bc20ab34b51529ca36fa239a19de5b608ba284c77945c

General

Target

12c053b6a3b757d92ee5f63164376485_JaffaCakes118.dll
Size

1.2MB
MD5

12c053b6a3b757d92ee5f63164376485
SHA1

1a8139740f376f7f328ca8f253a2e3febf637f5e
SHA256

d7f0e30e4f02bdda1c4bc20ab34b51529ca36fa239a19de5b608ba284c77945c
SHA512

bf4e5fb030353a18052d3873dcef9e5f204323669ef79c070892f6b2b7e5a5db03bd23910dc74b28e9fe6815e6c8403b28611e39e3882e4acdcb868c63e87b53
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1376-5-0x0000000002970000-0x0000000002971000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

SystemPropertiesAdvanced.exeSndVol.exewermgr.exerdpinit.exe

pid process

2812 SystemPropertiesAdvanced.exe
2932 SndVol.exe
2692 wermgr.exe
2324 rdpinit.exe
Loads dropped DLL 8 IoCs

Processes:

SystemPropertiesAdvanced.exeSndVol.exerdpinit.exe

pid process

1376
2812 SystemPropertiesAdvanced.exe
1376
2932 SndVol.exe
1376
1376
2324 rdpinit.exe
1376

pid	process
2812	SystemPropertiesAdvanced.exe
2932	SndVol.exe
2692	wermgr.exe
2324	rdpinit.exe

pid	process
1376
2812	SystemPropertiesAdvanced.exe
1376
2932	SndVol.exe
1376
1376
2324	rdpinit.exe
1376

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\82\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesAdvanced.exeSndVol.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

description	pid	target process
PID 1376 wrote to memory of 2484	1376	SystemPropertiesAdvanced.exe
PID 1376 wrote to memory of 2484	1376	SystemPropertiesAdvanced.exe
PID 1376 wrote to memory of 2484	1376	SystemPropertiesAdvanced.exe
PID 1376 wrote to memory of 2812	1376	SystemPropertiesAdvanced.exe
PID 1376 wrote to memory of 2812	1376	SystemPropertiesAdvanced.exe
PID 1376 wrote to memory of 2812	1376	SystemPropertiesAdvanced.exe
PID 1376 wrote to memory of 2796	1376	SndVol.exe
PID 1376 wrote to memory of 2796	1376	SndVol.exe
PID 1376 wrote to memory of 2796	1376	SndVol.exe
PID 1376 wrote to memory of 2932	1376	SndVol.exe
PID 1376 wrote to memory of 2932	1376	SndVol.exe
PID 1376 wrote to memory of 2932	1376	SndVol.exe
PID 1376 wrote to memory of 1952	1376	wermgr.exe
PID 1376 wrote to memory of 1952	1376	wermgr.exe
PID 1376 wrote to memory of 1952	1376	wermgr.exe
PID 1376 wrote to memory of 2692	1376	wermgr.exe
PID 1376 wrote to memory of 2692	1376	wermgr.exe
PID 1376 wrote to memory of 2692	1376	wermgr.exe
PID 1376 wrote to memory of 1588	1376	rdpinit.exe
PID 1376 wrote to memory of 1588	1376	rdpinit.exe
PID 1376 wrote to memory of 1588	1376	rdpinit.exe
PID 1376 wrote to memory of 2324	1376	rdpinit.exe
PID 1376 wrote to memory of 2324	1376	rdpinit.exe
PID 1376 wrote to memory of 2324	1376	rdpinit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12c053b6a3b757d92ee5f63164376485_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2484

C:\Users\Admin\AppData\Local\tOiDpZm\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\tOiDpZm\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2812

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\fBEu\SndVol.exe
C:\Users\Admin\AppData\Local\fBEu\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:1952

C:\Users\Admin\AppData\Local\zYl0muD\wermgr.exe
C:\Users\Admin\AppData\Local\zYl0muD\wermgr.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1588

C:\Users\Admin\AppData\Local\HwZLH\rdpinit.exe
C:\Users\Admin\AppData\Local\HwZLH\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2324

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HwZLH\WTSAPI32.dll
Filesize
1.2MB

MD5
b841d199d6ac3b640864dab3af2b3d4e

SHA1
ea1b7e1981ddc0bcf3c563a798368dfe153a77c4

SHA256
fe4745da86e113b23e601af076babbd24791fd421e496a314b8cc285f3af69de

SHA512
1204bf520f5d9ab959006f1c558bd6d71df45a968147926abb1d2bb205684eca8489383d1cd5e99589580989d9794a4d0e78aa9054e616d784ac17f7e9bdd8a4

Download Submit
C:\Users\Admin\AppData\Local\HwZLH\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
C:\Users\Admin\AppData\Local\fBEu\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\tOiDpZm\SYSDM.CPL
Filesize
1.2MB

MD5
0b331c7735010d5f7d0d0352ed56f5e5

SHA1
e7990e13655623757083c588c459ecfcc538af40

SHA256
6c6a1ab034851132b0f90395a09a21f282c09f7d8bfee06936034efa0e9700a6

SHA512
366a7f30e886bddc4c775eff25568881bf929a3788da4c1e8c432b756149ca203f905018d8d79e8925efc6bbf85013a324cc56a44ee33415bc79bf5a783c15de

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
Filesize
1KB

MD5
be737571fc62feb5e8b9a89d339c3ec0

SHA1
d1d7a9f2a929d154b49401d85f4b0af948ae1ae4

SHA256
03ee9fe0127b1537b3e0a83d357f824ad83eef209bd28e7bf6c3b3b6e3c97efe

SHA512
72c4aacd0700a3461b584d2907baa9eceb16b861916ea25c2042a4e00fe380e001c4a257fa30c61df488c152f4615c7bd0b368146766f1360de3b56399fbfab6

Download Submit
\Users\Admin\AppData\Local\fBEu\UxTheme.dll
Filesize
1.2MB

MD5
5dac40a5eb51e8a628ab404df0d85987

SHA1
35383357c8edba724f069869a7bbfc219599c7c5

SHA256
ba608b62dc30bd239b900b689520c16a09adbdaa718b3adcff473dfde25b0265

SHA512
ef09d7835683be14c96b61061be8a0fd9afda58107584ad0a32db09fda915c78251f53745239d2ed5b5628aea6349c1c5c8317766c3a711c5e4d6b9d565ef537

Download Submit
\Users\Admin\AppData\Local\tOiDpZm\SystemPropertiesAdvanced.exe
Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\zYl0muD\wermgr.exe
Filesize
49KB

MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
memory/1376-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-25-0x0000000002950000-0x0000000002957000-memory.dmp

Filesize
28KB

Download
memory/1376-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-26-0x0000000077221000-0x0000000077222000-memory.dmp

Filesize
4KB

Download
memory/1376-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-27-0x00000000773B0000-0x00000000773B2000-memory.dmp

Filesize
8KB

Download
memory/1376-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-37-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-4-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1376-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-5-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1376-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1376-64-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/2324-99-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2324-105-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2368-3-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2368-45-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2368-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2812-54-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2812-59-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2812-53-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2932-72-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2932-78-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads