dridex | fb7040dce4fffb1394723ad25f6c9d088db9340cd2aed96b972f476693788f9a

General

Target

0e60f420fdf85dd1b7fbaea84e647693_JaffaCakes118.dll
Size

1.2MB
MD5

0e60f420fdf85dd1b7fbaea84e647693
SHA1

e8aabce04be2e42aaf0235e7ab5f2b354ea727bb
SHA256

fb7040dce4fffb1394723ad25f6c9d088db9340cd2aed96b972f476693788f9a
SHA512

505fca3bcc20f0a9c16e566cccb6a8d1ab1949d7f5f4dd10bbf019e99b119d57947245b6a3dfe779c63636b4dfceaaf83a49efa40f832d57515097e6fca3cb4c
SSDEEP

24576:SuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:69cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-5-0x0000000002B00000-0x0000000002B01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SndVol.exeMagnify.exeBitLockerWizardElev.exe

pid process

1984 SndVol.exe
1884 Magnify.exe
1136 BitLockerWizardElev.exe
Loads dropped DLL 7 IoCs

Processes:

SndVol.exeMagnify.exeBitLockerWizardElev.exe

pid process

1212
1984 SndVol.exe
1212
1884 Magnify.exe
1212
1136 BitLockerWizardElev.exe
1212

pid	process
1984	SndVol.exe
1884	Magnify.exe
1136	BitLockerWizardElev.exe

pid	process
1212
1984	SndVol.exe
1212
1884	Magnify.exe
1212
1136	BitLockerWizardElev.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\EVQRBS~1\\Magnify.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSndVol.exeMagnify.exeBitLockerWizardElev.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1212
Token: SeShutdownPrivilege 1212

description	pid	process
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 2004	1212	SndVol.exe
PID 1212 wrote to memory of 2004	1212	SndVol.exe
PID 1212 wrote to memory of 2004	1212	SndVol.exe
PID 1212 wrote to memory of 1984	1212	SndVol.exe
PID 1212 wrote to memory of 1984	1212	SndVol.exe
PID 1212 wrote to memory of 1984	1212	SndVol.exe
PID 1212 wrote to memory of 840	1212	Magnify.exe
PID 1212 wrote to memory of 840	1212	Magnify.exe
PID 1212 wrote to memory of 840	1212	Magnify.exe
PID 1212 wrote to memory of 1884	1212	Magnify.exe
PID 1212 wrote to memory of 1884	1212	Magnify.exe
PID 1212 wrote to memory of 1884	1212	Magnify.exe
PID 1212 wrote to memory of 2476	1212	BitLockerWizardElev.exe
PID 1212 wrote to memory of 2476	1212	BitLockerWizardElev.exe
PID 1212 wrote to memory of 2476	1212	BitLockerWizardElev.exe
PID 1212 wrote to memory of 1136	1212	BitLockerWizardElev.exe
PID 1212 wrote to memory of 1136	1212	BitLockerWizardElev.exe
PID 1212 wrote to memory of 1136	1212	BitLockerWizardElev.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e60f420fdf85dd1b7fbaea84e647693_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2004

C:\Users\Admin\AppData\Local\NtKONO\SndVol.exe
C:\Users\Admin\AppData\Local\NtKONO\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:840

C:\Users\Admin\AppData\Local\qu8Z\Magnify.exe
C:\Users\Admin\AppData\Local\qu8Z\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1884

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2476

C:\Users\Admin\AppData\Local\9yqTuaMZ\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\9yqTuaMZ\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9yqTuaMZ\FVEWIZ.dll

Filesize
1.2MB

MD5
6d7bc39139f3a7244f783520618b7c8c

SHA1
a2457114a0f2ba2a1426467b95c68636282b3ba1

SHA256
7956303c3c5a1531a6ca2feeaaa06744a2263e8343c07b22db2be00aba3e3956

SHA512
df20ceddb6287c3e08b4daf2ceb415ed56695ca8c05f2afeb7f3900601d2bc4f3423528940c8132cc021e7ca998770f0fc390d15b314d1b4f4b6ea314cef9aaa

Download Submit
C:\Users\Admin\AppData\Local\NtKONO\SndVol.exe

Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\qu8Z\Magnify.exe

Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
C:\Users\Admin\AppData\Local\qu8Z\OLEACC.dll

Filesize
1.2MB

MD5
25b6e94ce7cfd7226046675dd81e9359

SHA1
074ba199645d5579ee424ba9237174b3e5321ce9

SHA256
8d16862aa47df83e8fb3a1d0753e962bba1378e386af686a85bf7db3b4b2cac4

SHA512
072a1ddfb855adbb7b72a83f701f0853699095f2faf384aafa233ae0cd997e4aaa304f960bff1c4c0af644fad6c8f6a89a928ebee9056977dad7823d92d44ff4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk

Filesize
1KB

MD5
44c479a408952380c8e8f938ab25e445

SHA1
f3ca729df5bfd33fee059b5b2ee5d7b877ba3d93

SHA256
02088ccf1d80d555920edee84f8a84454845fd15f318c76c0ad4269993ffcf92

SHA512
5551816ac4f04fd4b8ffb30a3cb582fb4e749069c61a314ce54b1bcffc8e0b36305ca6860e049b55931b523661c594e8fcb240e75c0b32d66ea9c6840805b932

Download Submit
\Users\Admin\AppData\Local\9yqTuaMZ\BitLockerWizardElev.exe

Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\NtKONO\dwmapi.dll

Filesize
1.2MB

MD5
0c3266ccab4a975c301e3aa56f8cbc26

SHA1
cfdd61819ba489c261b53af4e98bf9ea04c70843

SHA256
05e3ed2bf8034e587ee45b2732b32e8cbf8e4c14a832a85e9a091d521aabeed7

SHA512
d158d5f7214f327c68fff007c44472fc42d153ee3acb8efa20f5215fa78ec855769d580ce0d854a2a6ee58378163e5891efc78384674f7b611bbad0fd2cec73c

Download Submit
memory/1136-92-0x000007FEF7400000-0x000007FEF7535000-memory.dmp

Filesize
1.2MB

Download
memory/1136-86-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1212-19-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-18-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-17-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-14-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-13-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-12-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-11-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-10-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-9-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-15-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-4-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

Filesize
4KB

Download
memory/1212-37-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-36-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-5-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1212-7-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-8-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-30-0x0000000077E80000-0x0000000077E82000-memory.dmp

Filesize
8KB

Download
memory/1212-28-0x0000000001C60000-0x0000000001C67000-memory.dmp

Filesize
28KB

Download
memory/1212-63-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

Filesize
4KB

Download
memory/1212-29-0x0000000077CF1000-0x0000000077CF2000-memory.dmp

Filesize
4KB

Download
memory/1884-72-0x000007FEF7400000-0x000007FEF7535000-memory.dmp

Filesize
1.2MB

Download
memory/1884-71-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1884-76-0x000007FEF7400000-0x000007FEF7535000-memory.dmp

Filesize
1.2MB

Download
memory/1984-54-0x000007FEFB930000-0x000007FEFBA65000-memory.dmp

Filesize
1.2MB

Download
memory/1984-57-0x000007FEFB930000-0x000007FEFBA65000-memory.dmp

Filesize
1.2MB

Download
memory/1984-52-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2220-1-0x000007FEF7400000-0x000007FEF7534000-memory.dmp

Filesize
1.2MB

Download
memory/2220-33-0x000007FEF7400000-0x000007FEF7534000-memory.dmp

Filesize
1.2MB

Download
memory/2220-3-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads