dridex | 0a28e7ee9defb1086bc03f8a1aff2ded0d1f088e7d6ce37dbadd8ff7d524d297

General

Target

bbeb2cd20a1ba49d25bc9a31ed2ab382_JaffaCakes118.dll
Size

986KB
MD5

bbeb2cd20a1ba49d25bc9a31ed2ab382
SHA1

0cf1a27e3a3223300a6b2c76823678430b9b2196
SHA256

0a28e7ee9defb1086bc03f8a1aff2ded0d1f088e7d6ce37dbadd8ff7d524d297
SHA512

2dea31f1ecc66c3af3a8ebc35355b26293ac772714ee099ae28650f71c2813d615e6c6c1d02c5c239373626322fd1b9811836f20e127f64436d104946185183a
SSDEEP

24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SndVol.exeWFS.exemsdt.exe

pid process

2424 SndVol.exe
2776 WFS.exe
1456 msdt.exe
Loads dropped DLL 7 IoCs

Processes:

SndVol.exeWFS.exemsdt.exe

pid process

1212
2424 SndVol.exe
1212
2776 WFS.exe
1212
1456 msdt.exe
1212

pid	process
2424	SndVol.exe
2776	WFS.exe
1456	msdt.exe

pid	process
1212
2424	SndVol.exe
1212
2776	WFS.exe
1212
1456	msdt.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\Mxb\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSndVol.exeWFS.exemsdt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2328	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 2388	1212	SndVol.exe
PID 1212 wrote to memory of 2388	1212	SndVol.exe
PID 1212 wrote to memory of 2388	1212	SndVol.exe
PID 1212 wrote to memory of 2424	1212	SndVol.exe
PID 1212 wrote to memory of 2424	1212	SndVol.exe
PID 1212 wrote to memory of 2424	1212	SndVol.exe
PID 1212 wrote to memory of 2756	1212	WFS.exe
PID 1212 wrote to memory of 2756	1212	WFS.exe
PID 1212 wrote to memory of 2756	1212	WFS.exe
PID 1212 wrote to memory of 2776	1212	WFS.exe
PID 1212 wrote to memory of 2776	1212	WFS.exe
PID 1212 wrote to memory of 2776	1212	WFS.exe
PID 1212 wrote to memory of 2976	1212	msdt.exe
PID 1212 wrote to memory of 2976	1212	msdt.exe
PID 1212 wrote to memory of 2976	1212	msdt.exe
PID 1212 wrote to memory of 1456	1212	msdt.exe
PID 1212 wrote to memory of 1456	1212	msdt.exe
PID 1212 wrote to memory of 1456	1212	msdt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbeb2cd20a1ba49d25bc9a31ed2ab382_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2388

C:\Users\Admin\AppData\Local\TnNbCTuch\SndVol.exe
C:\Users\Admin\AppData\Local\TnNbCTuch\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2424

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:2756

C:\Users\Admin\AppData\Local\uOQ\WFS.exe
C:\Users\Admin\AppData\Local\uOQ\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2976

C:\Users\Admin\AppData\Local\cFbLEJH\msdt.exe
C:\Users\Admin\AppData\Local\cFbLEJH\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1456

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TnNbCTuch\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\cFbLEJH\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
897B

MD5
4af05450575170673be3f604e2ea8fff

SHA1
aa5618e57cf6924e73977b0c44a971bd715e7452

SHA256
e95a10d11f6c84203b23d70fb39659538c5c0dd7a1f37ef4796e32e9e5c6b987

SHA512
205c8912c413b53ca0a0bd4572c108fe4fa1fb6b02ee5406a4e8638bd2fc5625b1de0fcfb41d5d2e412e3fa49a924db9237fe17fed04d290a24a7f8e370e8f70

Download Submit
\Users\Admin\AppData\Local\TnNbCTuch\UxTheme.dll
Filesize
988KB

MD5
820b66c554a9958cb5de322432280468

SHA1
d65ac1cc7b9d11b7095c8bc8e6945519c1bf79d3

SHA256
4a5154296856b79c219fa9ac2339632f4e835c544d817ce3ceb8773efa04c164

SHA512
6d1c8159e5051d9bb8b406c6f922d14e5ca63440ec39f50f35ae8c9b031a97a0eb3e56838138a566306b683db6746855bcd45588f82dceb5a115f97298cbeec4

Download Submit
\Users\Admin\AppData\Local\cFbLEJH\DUI70.dll
Filesize
1.2MB

MD5
c4ce97de6d88e6e885b2741ad79df1d5

SHA1
68d5c07935ba42eb09749b20fd6a4022bcef9002

SHA256
1907991f69b853c4295c138eb27d00afd076188ec219652c031368ecf3f1d5c9

SHA512
afc11573fd6582e1c8480f657da2d64bc874a000442b0736acb9b130babc8bf2f7f492433423d53266a24c9e9309fda9188c5ac5aa4b1f4c619acba3f916c6e0

Download Submit
\Users\Admin\AppData\Local\uOQ\UxTheme.dll
Filesize
988KB

MD5
ec775fc22fdd9fced65ba95b2b4d4f70

SHA1
c3de214774da0bc8bc9dbbb5edbcd408749d9f8a

SHA256
1f160409ae007f41146a3cc3b42f451dea3cc1e68105555807dba582357ed1a8

SHA512
dbf94f766a0c619d10674754df543fbbe79c7b472d8fe71b6039773a0487d783c691acaa164476fff4f12514706476f3a6f45d6a4b3c58a6769b4eef5888c7ec

Download Submit
\Users\Admin\AppData\Local\uOQ\WFS.exe
Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
memory/1212-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-73-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1212-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-24-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

Filesize
28KB

Download
memory/1212-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-28-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1212-27-0x0000000077311000-0x0000000077312000-memory.dmp

Filesize
4KB

Download
memory/1212-4-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1212-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1212-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1456-89-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1456-94-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2328-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2328-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2328-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2424-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2424-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2424-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2776-74-0x0000000000140000-0x0000000000147000-memory.dmp

Filesize
28KB

Download
memory/2776-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads