dridex | acb6b390306be1fe78e2453843386ac52bf9599741957edd013e9c5ea276e467

General

Target

dc2d104b67fcae0ddd6dc0e18b8faaeb_JaffaCakes118.dll
Size

1.2MB
MD5

dc2d104b67fcae0ddd6dc0e18b8faaeb
SHA1

7e2e76bdcd59fa3a06550be0cf8765368cb1c3ad
SHA256

acb6b390306be1fe78e2453843386ac52bf9599741957edd013e9c5ea276e467
SHA512

d61af34102337e7e34f663471c0b8d97887fc275921ef23465cfc105ac1288087ef2e7908b2d3382b1a3564bdd1e0f37f542cc415824f6b5107999a2cfaf5cd8
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1180-5-0x0000000002560000-0x0000000002561000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exeSndVol.exerdpinit.exe

pid process

2688 rdpclip.exe
1816 SndVol.exe
2988 rdpinit.exe
Loads dropped DLL 7 IoCs

Processes:

rdpclip.exeSndVol.exerdpinit.exe

pid process

1180
2688 rdpclip.exe
1180
1816 SndVol.exe
1180
2988 rdpinit.exe
1180

pid	process
2688	rdpclip.exe
1816	SndVol.exe
2988	rdpinit.exe

pid	process
1180
2688	rdpclip.exe
1180
1816	SndVol.exe
1180
2988	rdpinit.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neewpjodwhuy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\jEOkTeChVBK\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exeSndVol.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1180 wrote to memory of 2692	1180	rdpclip.exe
PID 1180 wrote to memory of 2692	1180	rdpclip.exe
PID 1180 wrote to memory of 2692	1180	rdpclip.exe
PID 1180 wrote to memory of 2688	1180	rdpclip.exe
PID 1180 wrote to memory of 2688	1180	rdpclip.exe
PID 1180 wrote to memory of 2688	1180	rdpclip.exe
PID 1180 wrote to memory of 2512	1180	SndVol.exe
PID 1180 wrote to memory of 2512	1180	SndVol.exe
PID 1180 wrote to memory of 2512	1180	SndVol.exe
PID 1180 wrote to memory of 1816	1180	SndVol.exe
PID 1180 wrote to memory of 1816	1180	SndVol.exe
PID 1180 wrote to memory of 1816	1180	SndVol.exe
PID 1180 wrote to memory of 2608	1180	rdpinit.exe
PID 1180 wrote to memory of 2608	1180	rdpinit.exe
PID 1180 wrote to memory of 2608	1180	rdpinit.exe
PID 1180 wrote to memory of 2988	1180	rdpinit.exe
PID 1180 wrote to memory of 2988	1180	rdpinit.exe
PID 1180 wrote to memory of 2988	1180	rdpinit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc2d104b67fcae0ddd6dc0e18b8faaeb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2948

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2692

C:\Users\Admin\AppData\Local\xXbYtc\rdpclip.exe
C:\Users\Admin\AppData\Local\xXbYtc\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2688

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2512

C:\Users\Admin\AppData\Local\cUnczG\SndVol.exe
C:\Users\Admin\AppData\Local\cUnczG\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1816

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\4srAuIAK\rdpinit.exe
C:\Users\Admin\AppData\Local\4srAuIAK\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4srAuIAK\rdpinit.exe

Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
C:\Users\Admin\AppData\Local\4srAuIAK\slc.dll

Filesize
1.2MB

MD5
d0d051a06551b94f40baf47fa9b1933e

SHA1
4a4b778b26ba3295ceb4f76784a8aa78d74dff44

SHA256
8b0818ac279d310c68921e355124dbf662f8330ff9ff91885674cb53fb024b64

SHA512
54f3440f9452c1dc8076a01a3fe034dbf2b71bb849a5eedc6ab6a65dea0ae5345100a6e95046ef14ca16b8f6cfc156191935ebc3f1ebe170e1bd145abb3312f1

Download Submit
C:\Users\Admin\AppData\Local\cUnczG\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\xXbYtc\WINSTA.dll

Filesize
1.2MB

MD5
d7161faf8e77125c8aa2152352175123

SHA1
56ec574725defde3eebe38c07eb06557d41558d4

SHA256
1ea307027c224a96ec963394c66a422b68d6f5a4fda6aec92179206008716788

SHA512
adfd1072c5d8d6eb5e7b56054afc22419e44dd9f7e881b331062ed63dcac83fcc728f091626520e2045d39b40400f63fcb7dc6d87fe0108d5882bcc85de36146

Download Submit
C:\Users\Admin\AppData\Local\xXbYtc\rdpclip.exe

Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk

Filesize
1KB

MD5
40b17779483f788726affb0f783f48ba

SHA1
c94581f3c59d2ffca7321b86f37f2bde7cd51e05

SHA256
5d79efc0cce94b02384bf9dd06f71703c1d457e617497a80be4c70b13dbe870b

SHA512
0771cf7e1c8c4b1c951e234514214816ad2916b63fdfa641507596a42ad217622dc9dd514fbf02ff88f9fcc9a7460146c9886bf8b0cc39b6e79c558671bc1045

Download Submit
\Users\Admin\AppData\Local\cUnczG\dwmapi.dll

Filesize
1.2MB

MD5
507a50852829cc2ed6d9f38ca6ec7198

SHA1
a29c477a4330689b939a5533839a3baa8da51969

SHA256
fe24664558d0acf8083d36a882eb3e64a806d99ae7c57373eed6aaa554ab4102

SHA512
e4ef4d3c083d25c1b2f3e30c1fa298734b37657215db31f574c69ff47f0dbdba60d73e1d6081b281714dc1bf4b204f15dea48f3bdd7333d85e6d2ef92ce7cc0a

Download Submit
memory/1180-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-47-0x0000000076F46000-0x0000000076F47000-memory.dmp

Filesize
4KB

Download
memory/1180-17-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-26-0x0000000002540000-0x0000000002547000-memory.dmp

Filesize
28KB

Download
memory/1180-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-4-0x0000000076F46000-0x0000000076F47000-memory.dmp

Filesize
4KB

Download
memory/1180-38-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-37-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1180-27-0x0000000077151000-0x0000000077152000-memory.dmp

Filesize
4KB

Download
memory/1180-28-0x00000000772E0000-0x00000000772E2000-memory.dmp

Filesize
8KB

Download
memory/1180-5-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1180-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1816-74-0x000007FEF6010000-0x000007FEF6143000-memory.dmp

Filesize
1.2MB

Download
memory/1816-73-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1816-79-0x000007FEF6010000-0x000007FEF6143000-memory.dmp

Filesize
1.2MB

Download
memory/2688-61-0x000007FEF65A0000-0x000007FEF66D4000-memory.dmp

Filesize
1.2MB

Download
memory/2688-55-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2688-56-0x000007FEF65A0000-0x000007FEF66D4000-memory.dmp

Filesize
1.2MB

Download
memory/2948-46-0x000007FEF6010000-0x000007FEF6142000-memory.dmp

Filesize
1.2MB

Download
memory/2948-2-0x000007FEF6010000-0x000007FEF6142000-memory.dmp

Filesize
1.2MB

Download
memory/2948-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2988-96-0x000007FEF6010000-0x000007FEF6143000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads