dridex | 19c4a9564a46442c3034f30e9175124a304eff0398e72c39e739f94ac8566e2c

General

Target

7d3637031005ca4e7d31d0035afba188_JaffaCakes118.dll
Size

1.2MB
MD5

7d3637031005ca4e7d31d0035afba188
SHA1

343c4fdf5714552ee078fd09c094425c3d8b048b
SHA256

19c4a9564a46442c3034f30e9175124a304eff0398e72c39e739f94ac8566e2c
SHA512

2251467cdaaa88c8c7a8d9b61a23a098f07341bc67700492238a5ab2ba030de8243dd9815e190110075ba8ef528427bc39afd5d344abd1fecf3050036ba52f53
SSDEEP

24576:vyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI0:vyWRKTt/QlPVp3h9d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3452-4-0x0000000007EA0000-0x0000000007EA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sppsvc.exeAtBroker.exeSndVol.exe

pid process

1728 sppsvc.exe
3684 AtBroker.exe
4088 SndVol.exe
Loads dropped DLL 3 IoCs

Processes:

sppsvc.exeAtBroker.exeSndVol.exe

pid process

1728 sppsvc.exe
3684 AtBroker.exe
4088 SndVol.exe

pid	process
1728	sppsvc.exe
3684	AtBroker.exe
4088	SndVol.exe

pid	process
1728	sppsvc.exe
3684	AtBroker.exe
4088	SndVol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iwctvdcrnln = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\ov\\AtBroker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sppsvc.exeAtBroker.exeSndVol.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452
Token: SeShutdownPrivilege	3452
Token: SeCreatePagefilePrivilege	3452

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3452
3452
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3452

pid	process
3452
3452

pid	process
3452

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	target process
PID 3452 wrote to memory of 1728	3452	sppsvc.exe
PID 3452 wrote to memory of 1728	3452	sppsvc.exe
PID 3452 wrote to memory of 3144	3452	AtBroker.exe
PID 3452 wrote to memory of 3144	3452	AtBroker.exe
PID 3452 wrote to memory of 3684	3452	AtBroker.exe
PID 3452 wrote to memory of 3684	3452	AtBroker.exe
PID 3452 wrote to memory of 4612	3452	SndVol.exe
PID 3452 wrote to memory of 4612	3452	SndVol.exe
PID 3452 wrote to memory of 4088	3452	SndVol.exe
PID 3452 wrote to memory of 4088	3452	SndVol.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d3637031005ca4e7d31d0035afba188_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:4976

C:\Users\Admin\AppData\Local\xbCk4\sppsvc.exe
C:\Users\Admin\AppData\Local\xbCk4\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1728

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:3144

C:\Users\Admin\AppData\Local\UK8GMK752\AtBroker.exe
C:\Users\Admin\AppData\Local\UK8GMK752\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3684

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:4612

C:\Users\Admin\AppData\Local\RHr\SndVol.exe
C:\Users\Admin\AppData\Local\RHr\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\RHr\SndVol.exe
Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\RHr\dwmapi.dll
Filesize
1.2MB

MD5
fb4aa7dc9a383c5ce223784c9192031c

SHA1
b827fd474a6db65b9c09a8837a39de67516ee43c

SHA256
51276e288096cc43dafff493d61592b6d8d94416af4a9885509caadde21805d9

SHA512
46016908a4809592d36c81ef1b2566b736811df74546726d0f3f38a8a263d17dd12f63de4a238f36a80ff102a759722ce893a43ae46b37f24e03c40dc70466e2

Download Submit
C:\Users\Admin\AppData\Local\UK8GMK752\AtBroker.exe
Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\UK8GMK752\UxTheme.dll
Filesize
1.2MB

MD5
80c3da49d113f3885c6d9dcd521799b5

SHA1
6f5b3d05490f0ae77182f364f88566bdaac5f189

SHA256
5197490b5f70f4fb67792d150c863a6c0cb2f045b1625d4b1feff60826123305

SHA512
7fc0725c627e0888f8377ca3916888a29f07a7967cf768284d75057b7b7ce10517ce649a747503ce8edcc04de4a2091a104fcee5fa699f124273071928a4c81c

Download Submit
C:\Users\Admin\AppData\Local\xbCk4\XmlLite.dll
Filesize
1.2MB

MD5
6f86cfe4b00b8ab5a29cec534653aac0

SHA1
61caeb54017662b837f189e6f9b4ad25b5757bdb

SHA256
7edecbc91cc5ad25b0e8d765bc41e372258e1f4ff722460d39829869dd8ecf72

SHA512
7b0b1a5cfad17794c1dc0e161abdf7ce50e7712e795eed856e8bbd8b4d1cc61b4f4f128401b1962d28e8378381d1f8baa323d1230cb1abcd890ef24c13ff10ee

Download Submit
C:\Users\Admin\AppData\Local\xbCk4\sppsvc.exe
Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Puokv.lnk
Filesize
1KB

MD5
cf7a194f357193b8d3db09e45a386c92

SHA1
b4427f55996ae410481febd7ab077dc5fb23675f

SHA256
3f66421e73d69630a07ae76d0cbace11d487358a59dbafef707c7595b415ba38

SHA512
143e54acc62fd54905d856952e1256c8314baa59ec7db9d391693c957e185c224f2bd866c3784759a1e638f8bd268607b6ffa76fe32c6bb767ed414196d461f1

Download Submit
memory/1728-52-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1728-46-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1728-49-0x000002361FAA0000-0x000002361FAA7000-memory.dmp

Filesize
28KB

Download
memory/2972-2-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2972-39-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2972-0-0x0000024F256B0000-0x0000024F256B7000-memory.dmp

Filesize
28KB

Download
memory/3452-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-35-0x00007FF85BEF0000-0x00007FF85BF00000-memory.dmp

Filesize
64KB

Download
memory/3452-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-33-0x00007FF85A62A000-0x00007FF85A62B000-memory.dmp

Filesize
4KB

Download
memory/3452-34-0x0000000007E80000-0x0000000007E87000-memory.dmp

Filesize
28KB

Download
memory/3452-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-4-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/3452-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3452-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3684-68-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3684-66-0x000001E28BDD0000-0x000001E28BDD7000-memory.dmp

Filesize
28KB

Download
memory/4088-82-0x00000200BC850000-0x00000200BC857000-memory.dmp

Filesize
28KB

Download
memory/4088-85-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads