dridex | 3631cc84e20f358d76f8a064c3abdd999e603e800a109e4251339d822cef7977

General

Target

e4902f86c9b70ba6a7a9d2b4a586e71a_JaffaCakes118.dll
Size

1.7MB
MD5

e4902f86c9b70ba6a7a9d2b4a586e71a
SHA1

d36c67f2596745f9882347df0db1dff5ad9829aa
SHA256

3631cc84e20f358d76f8a064c3abdd999e603e800a109e4251339d822cef7977
SHA512

fe037047831eae3dc4f7e2b6dec7e3e248733cb683299ad6923cfad19914deb021d73aa30d61c93002cfbf589682f1996bd019b70e568f74fc0b3bd0d902133c
SSDEEP

12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3352-5-0x0000000007E00000-0x0000000007E01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Magnify.exeCloudNotifications.exeDWWIN.EXE

pid process

4760 Magnify.exe
1384 CloudNotifications.exe
1048 DWWIN.EXE
Loads dropped DLL 3 IoCs

Processes:

Magnify.exeCloudNotifications.exeDWWIN.EXE

pid process

4760 Magnify.exe
1384 CloudNotifications.exe
1048 DWWIN.EXE

pid	process
4760	Magnify.exe
1384	CloudNotifications.exe
1048	DWWIN.EXE

pid	process
4760	Magnify.exe
1384	CloudNotifications.exe
1048	DWWIN.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ymojgrwdyxau = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\U9CgEpityP\\CloudNotifications.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

CloudNotifications.exeDWWIN.EXErundll32.exeMagnify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
628	rundll32.exe
628	rundll32.exe
628	rundll32.exe
628	rundll32.exe
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3352
3352
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3352

pid	process
3352
3352

pid	process
3352

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3352 wrote to memory of 4040	3352	Magnify.exe
PID 3352 wrote to memory of 4040	3352	Magnify.exe
PID 3352 wrote to memory of 4760	3352	Magnify.exe
PID 3352 wrote to memory of 4760	3352	Magnify.exe
PID 3352 wrote to memory of 1588	3352	CloudNotifications.exe
PID 3352 wrote to memory of 1588	3352	CloudNotifications.exe
PID 3352 wrote to memory of 1384	3352	CloudNotifications.exe
PID 3352 wrote to memory of 1384	3352	CloudNotifications.exe
PID 3352 wrote to memory of 4736	3352	DWWIN.EXE
PID 3352 wrote to memory of 4736	3352	DWWIN.EXE
PID 3352 wrote to memory of 1048	3352	DWWIN.EXE
PID 3352 wrote to memory of 1048	3352	DWWIN.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4902f86c9b70ba6a7a9d2b4a586e71a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:4040

C:\Users\Admin\AppData\Local\U9q\Magnify.exe
C:\Users\Admin\AppData\Local\U9q\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4760

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:1588

C:\Users\Admin\AppData\Local\02QG\CloudNotifications.exe
C:\Users\Admin\AppData\Local\02QG\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1384

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:4736

C:\Users\Admin\AppData\Local\LOHr\DWWIN.EXE
C:\Users\Admin\AppData\Local\LOHr\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\02QG\CloudNotifications.exe
Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\02QG\UxTheme.dll
Filesize
1.7MB

MD5
ac5fbb15cc2ca03558e2254bb1753bdf

SHA1
9432066a1002e2f9a53a5eb464b5146b35599b48

SHA256
8ee5df8ae95dbd5e92ffc31efb77d603cae335b894ad2eec3283fe7a7a1e0898

SHA512
78f9e3e36d9c1cc3f7ad7f539f851c016a6e6926d11bfe408eb3e71d9d60938eb3a510f40b8439243c1d870dc4b2ecbcde0e8171ab2d555231be30d40805429c

Download Submit
C:\Users\Admin\AppData\Local\LOHr\DWWIN.EXE
Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\LOHr\wer.dll
Filesize
1.7MB

MD5
6937928319798b6eed9b712baac6558b

SHA1
70e67be28b637fce7b5e5a2e01aa59861861c991

SHA256
cff3d22bf832fd7d8f375c2bcf584b4189f0da77ef2181c85c682b78ffdf828e

SHA512
8531053330104dfec209adf587360fb0bfead3b3de36f4af3812c87ec5c159c8b56bdf534f885d1bd1cdef6c419dd1fbaf62629f98800d31b9fd2370532307e8

Download Submit
C:\Users\Admin\AppData\Local\U9q\MAGNIFICATION.dll
Filesize
1.7MB

MD5
7c8dac3424eb7b093a05359ea728413f

SHA1
5b4793b19dfff298dea49251290c6d9dc7054b04

SHA256
642b7a4e92d7fc2aa16374ce511913e7674634ffef66ea054283fe2b133ef199

SHA512
1ce1c1170079145b0aad7006cd1ea487dcd70a3d7849bf85caa02d988e6a744a4c2f7a6bbfcb9bcd2830ea46ca4ff018e4450f65a54282c56bf7b46b20d0676d

Download Submit
C:\Users\Admin\AppData\Local\U9q\Magnify.exe
Filesize
639KB

MD5
4029890c147e3b4c6f41dfb5f9834d42

SHA1
10d08b3f6dabe8171ca2dd52e5737e3402951c75

SHA256
57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

SHA512
dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bgoltaavvu.lnk
Filesize
1KB

MD5
a5574f4e6e80e8ddd08408d871c70581

SHA1
19f6d24e6bfe852217cf3c19f5c9d2bb9d99a9b3

SHA256
7ab529e74561990d4e6f0d483fcb9ee371874910d97f665f614d742a62710e81

SHA512
e574b29f746b6df69da0ad5babd4674dbd1cab8c721735c146c5f8d6695fad1d84b9abde06f16f2236341d2c8a6fd78eea862649940a3a0e76ab73489fab9099

Download Submit
memory/628-1-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/628-3-0x000001EFA3900000-0x000001EFA3907000-memory.dmp

Filesize
28KB

Download
memory/628-9-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/628-0-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1048-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1048-110-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1048-113-0x000001751A980000-0x000001751A987000-memory.dmp

Filesize
28KB

Download
memory/1048-118-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1384-94-0x0000020124600000-0x0000020124607000-memory.dmp

Filesize
28KB

Download
memory/1384-92-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1384-99-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3352-19-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-44-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-23-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-24-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-25-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-26-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-28-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-29-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-27-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-31-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-32-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-33-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-30-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-34-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-35-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-37-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-36-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-38-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-41-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-39-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-40-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-42-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-43-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-21-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-45-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-47-0x00000000027D0000-0x00000000027D7000-memory.dmp

Filesize
28KB

Download
memory/3352-53-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-57-0x00007FFB53BA0000-0x00007FFB53BB0000-memory.dmp

Filesize
64KB

Download
memory/3352-63-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-65-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-20-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-22-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-6-0x00007FFB51C5A000-0x00007FFB51C5B000-memory.dmp

Filesize
4KB

Download
memory/3352-5-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/3352-8-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-10-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-16-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-18-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-17-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-15-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-14-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-13-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-12-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3352-11-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4760-81-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4760-74-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4760-75-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4760-76-0x000002E58FAA0000-0x000002E58FAA7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads