dridex | 682acb2e8fbae0a220ee3c38f5895a1e565242f9b79eb576f6d6ce530934bc34

General

Target

777ef6894e820bba6cd3f4d2f81282cb_JaffaCakes118.dll
Size

1.2MB
MD5

777ef6894e820bba6cd3f4d2f81282cb
SHA1

cd4893c41615b03101c95170687731f5f8ef87e1
SHA256

682acb2e8fbae0a220ee3c38f5895a1e565242f9b79eb576f6d6ce530934bc34
SHA512

ad0078555615ff2a55da4357167771ba3ace8905f865023e6634e28408e6636ef00c91a87cb37ca331f4ad6a1cf396b0530f3f6852fe8f9afafa2c5919ade9ff
SSDEEP

24576:JVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:JV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3316-4-0x0000000002990000-0x0000000002991000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

eudcedit.exeSndVol.exeSystemSettingsRemoveDevice.exe

pid process

3160 eudcedit.exe
3568 SndVol.exe
456 SystemSettingsRemoveDevice.exe
Loads dropped DLL 3 IoCs

Processes:

eudcedit.exeSndVol.exeSystemSettingsRemoveDevice.exe

pid process

3160 eudcedit.exe
3568 SndVol.exe
456 SystemSettingsRemoveDevice.exe

pid	process
3160	eudcedit.exe
3568	SndVol.exe
456	SystemSettingsRemoveDevice.exe

pid	process
3160	eudcedit.exe
3568	SndVol.exe
456	SystemSettingsRemoveDevice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\nng\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeeudcedit.exeSndVol.exeSystemSettingsRemoveDevice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1836	rundll32.exe
1836	rundll32.exe
1836	rundll32.exe
1836	rundll32.exe
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3316 wrote to memory of 1912	3316	eudcedit.exe
PID 3316 wrote to memory of 1912	3316	eudcedit.exe
PID 3316 wrote to memory of 3160	3316	eudcedit.exe
PID 3316 wrote to memory of 3160	3316	eudcedit.exe
PID 3316 wrote to memory of 2992	3316	SndVol.exe
PID 3316 wrote to memory of 2992	3316	SndVol.exe
PID 3316 wrote to memory of 3568	3316	SndVol.exe
PID 3316 wrote to memory of 3568	3316	SndVol.exe
PID 3316 wrote to memory of 4176	3316	SystemSettingsRemoveDevice.exe
PID 3316 wrote to memory of 4176	3316	SystemSettingsRemoveDevice.exe
PID 3316 wrote to memory of 456	3316	SystemSettingsRemoveDevice.exe
PID 3316 wrote to memory of 456	3316	SystemSettingsRemoveDevice.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\777ef6894e820bba6cd3f4d2f81282cb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:1912

C:\Users\Admin\AppData\Local\4yPbCFi\eudcedit.exe
C:\Users\Admin\AppData\Local\4yPbCFi\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3160

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2992

C:\Users\Admin\AppData\Local\1znLZI\SndVol.exe
C:\Users\Admin\AppData\Local\1znLZI\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3568

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:4176

C:\Users\Admin\AppData\Local\455T3Q5\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\455T3Q5\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=776 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1znLZI\SndVol.exe

Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\1znLZI\UxTheme.dll

Filesize
1.2MB

MD5
a05fb8ce23443f199010fc0ed538a304

SHA1
4ea1ef20f471851887c67c747517b876f8992dbc

SHA256
c0d2b3514f5166579a07eaab74833400bd2f777f0eb26313bb63cb611b783717

SHA512
aceaa859ae472968de7dcc98dffdcebdd50ea7143dfebf0eac70ce32ca1a279f8875ccd4c97193d0623e343eeeba5b5f55297db7875a68de917e8251a268e88a

Download Submit
C:\Users\Admin\AppData\Local\455T3Q5\DUI70.dll

Filesize
1.5MB

MD5
fc0b06c2be1f3562fbf46461d5bda30b

SHA1
8992aea15ef4d069fd707883e0730ef223c3c470

SHA256
f3f4b49433b0350c8d91c2cfd94c14d7b5775ff7fab1f6110c8248ad8cc2f800

SHA512
1c0f0da44de09306935f07b54c93bc0097f00f7476aff6767d330c778ae270ecacee2416f949be892e8a296c7d7a485096394698e05a514246ad2ffafde564dc

Download Submit
C:\Users\Admin\AppData\Local\455T3Q5\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\4yPbCFi\MFC42u.dll

Filesize
1.3MB

MD5
9910fa30dcdcdccfaf173ca7ed8d6bc5

SHA1
2a3adbc14ab54b9cd17b317e709341793b57fffb

SHA256
e9e786ecbd351f06fcd74e348882a4ea41e3ff037d61ea136d1176de7329f44f

SHA512
32f0022d86b9e04e60ce4be2e4add4ac42a699cba3036d7a8b1798601df59028a51b7e155ba6f6d376ea70710d78443a2209bd875e53122d4883c8b39f51701b

Download Submit
C:\Users\Admin\AppData\Local\4yPbCFi\eudcedit.exe

Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk

Filesize
1KB

MD5
828489df3b6196e83b56a563be7293aa

SHA1
2d71d8d4b11d7a19736621decea57a96bf7280d0

SHA256
6423e8a62cb7a55b4504a1b10da4593bc65a8f5ba8b6f1cae62e05a8481fabae

SHA512
2ec85f53c7678c5d17a8b30ce721567b1b6d7d6c53250675d6050894f7b4c32c3740e07b8fa1080a13def1c536c8f27f0abd1a3dc5fb728c6ca4ccee1cb18ff0

Download Submit
memory/456-86-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/456-83-0x000001544A030000-0x000001544A037000-memory.dmp

Filesize
28KB

Download
memory/456-80-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1836-0-0x000002711E8A0000-0x000002711E8A7000-memory.dmp

Filesize
28KB

Download
memory/1836-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1836-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3160-52-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3160-47-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3160-46-0x0000020F09050000-0x0000020F09057000-memory.dmp

Filesize
28KB

Download
memory/3316-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-4-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3316-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3316-27-0x00007FFC4131A000-0x00007FFC4131B000-memory.dmp

Filesize
4KB

Download
memory/3316-28-0x0000000000970000-0x0000000000977000-memory.dmp

Filesize
28KB

Download
memory/3316-29-0x00007FFC422D0000-0x00007FFC422E0000-memory.dmp

Filesize
64KB

Download
memory/3568-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3568-63-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3568-66-0x0000023A16420000-0x0000023A16427000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads