dridex | 745a55baf57dd1b7ce9c758087660f6d408b6cf9471df4c7e823f5f622097394

General

Target

fd57127a9d03362b266131627024567f_JaffaCakes118.dll
Size

1.7MB
MD5

fd57127a9d03362b266131627024567f
SHA1

8fd4756ed988115415e16ddd1813f1d6a7127efb
SHA256

745a55baf57dd1b7ce9c758087660f6d408b6cf9471df4c7e823f5f622097394
SHA512

7da2e4c387bb16ee026e20db9954b138090e501cf15247bb404b8b6cae781f0980cfcff817cbe0f8a059af05adf22d01cf0ad9557f7ccbbf0ada9b7a3af0447a
SSDEEP

12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exeNetplwiz.exeSystemPropertiesComputerName.exe

pid process

2128 PresentationSettings.exe
2580 Netplwiz.exe
1912 SystemPropertiesComputerName.exe
Loads dropped DLL 7 IoCs

Processes:

PresentationSettings.exeNetplwiz.exeSystemPropertiesComputerName.exe

pid process

1204
2128 PresentationSettings.exe
1204
2580 Netplwiz.exe
1204
1912 SystemPropertiesComputerName.exe
1204

pid	process
2128	PresentationSettings.exe
2580	Netplwiz.exe
1912	SystemPropertiesComputerName.exe

pid	process
1204
2128	PresentationSettings.exe
1204
2580	Netplwiz.exe
1204
1912	SystemPropertiesComputerName.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\ppK\\Netplwiz.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesComputerName.exePresentationSettings.exeNetplwiz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2240	regsvr32.exe
2240	regsvr32.exe
2240	regsvr32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2436	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2436	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2436	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2128	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2128	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2128	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2548	1204	Netplwiz.exe
PID 1204 wrote to memory of 2548	1204	Netplwiz.exe
PID 1204 wrote to memory of 2548	1204	Netplwiz.exe
PID 1204 wrote to memory of 2580	1204	Netplwiz.exe
PID 1204 wrote to memory of 2580	1204	Netplwiz.exe
PID 1204 wrote to memory of 2580	1204	Netplwiz.exe
PID 1204 wrote to memory of 1456	1204	SystemPropertiesComputerName.exe
PID 1204 wrote to memory of 1456	1204	SystemPropertiesComputerName.exe
PID 1204 wrote to memory of 1456	1204	SystemPropertiesComputerName.exe
PID 1204 wrote to memory of 1912	1204	SystemPropertiesComputerName.exe
PID 1204 wrote to memory of 1912	1204	SystemPropertiesComputerName.exe
PID 1204 wrote to memory of 1912	1204	SystemPropertiesComputerName.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fd57127a9d03362b266131627024567f_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2436

C:\Users\Admin\AppData\Local\0mO\PresentationSettings.exe
C:\Users\Admin\AppData\Local\0mO\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2128

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\vdEA\Netplwiz.exe
C:\Users\Admin\AppData\Local\vdEA\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2580

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:1456

C:\Users\Admin\AppData\Local\DGk\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\DGk\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1912

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0mO\PresentationSettings.exe
Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\DGk\SYSDM.CPL
Filesize
1.7MB

MD5
4cd6c507f47dec1f10cb758ef0e751e2

SHA1
cd169bb05d872ea15087c48bd523d5bbe6428b4c

SHA256
52b573dc248416e57db0b54908fbbf81f14ee191913bc801f36119cd607dc73b

SHA512
8f54e72e83abd7535dc397ec2e43833ec9071ce0995fa98fd1f6faa3690ef9e55d5a8730edc5d7918aafd59095e636dea346e8b5591d1c2337dc99e37c2caa74

Download Submit
C:\Users\Admin\AppData\Local\vdEA\NETPLWIZ.dll
Filesize
1.7MB

MD5
86a5ea71e69dfbda03c4aafc14bf9497

SHA1
894898a321706b1e809819fb5db122b63559563b

SHA256
b3ef2d82d9dfaca0fa3ffbba1383eb551ad4c1cf5f448d3c32c641b167b5b296

SHA512
b505224fddd8be55e9189bb5cc9b87c550738348ab9a7353ab0443090868c370120e32a0c78d7991d4ac6b4cc60d7004df9ba4f64ade152d152335baba832d4e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
9811f35b609d3f17952b455a06451ae5

SHA1
ae13dad2998728084671fd4248774a6e7efb6bda

SHA256
4a602c766e2ce41a8e60b738b87194a56f1ef2f2bf561082bb04352e3b324664

SHA512
3a4a2976e20b8aed6e94a874aab34babd57d95dbda743175111c2ffdbe47a86dcbb11a062402d8c5aa4227fdb36faee2c15a2d4b335837a87cf4c346dc51e7d1

Download Submit
\Users\Admin\AppData\Local\0mO\WINMM.dll
Filesize
1.7MB

MD5
475f3fe520fd3e91c42bc4532af32ea3

SHA1
c18bce7941054f6b511623c61dbec83d9b3745ef

SHA256
76947575fc215dcfd0e35672a6f7e7c9002f109d01fbccc5540ee55c045c973e

SHA512
0f40ed76602602837ce80df38fc47890ed1a2f73d504636c818acd98d4b669b20e2aa77b9608f675b2475587a9a88dc287eaace3e24c14fe69b25e4a2015f1d8

Download Submit
\Users\Admin\AppData\Local\DGk\SystemPropertiesComputerName.exe
Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\vdEA\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
memory/1204-25-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-31-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1204-10-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-9-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-128-0x0000000077286000-0x0000000077287000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-18-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-17-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-16-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-21-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-20-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-19-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-23-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-22-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-28-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-27-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-26-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-4-0x0000000077286000-0x0000000077287000-memory.dmp

Filesize
4KB

Download
memory/1204-24-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-29-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-30-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-11-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-38-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-40-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/1204-39-0x0000000077391000-0x0000000077392000-memory.dmp

Filesize
4KB

Download
memory/1204-49-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-55-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-12-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-13-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1204-15-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-14-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/1912-104-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/1912-109-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2128-73-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2128-69-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2128-67-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/2240-1-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2240-0-0x0000000000140000-0x0000000000147000-memory.dmp

Filesize
28KB

Download
memory/2240-8-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2580-85-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2580-88-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2580-91-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads