j4r7zap

General
Target

j4r7zap.dll

Filesize

539KB

Completed

19-11-2020 13:37

Score
10 /10
MD5

19473a4823afb3ca1c966ffed1ee6003

SHA1

db853d8f738ee15172141315e96644bf6f265d6b

SHA256

7359fb03e09c8416c7a967f72df483a1b60066434c9e49e0deb4b18cb11e9192

Malware Config

Extracted

Family dridex
Botnet 10555
C2

162.241.44.26:9443

192.232.229.53:4443

77.220.64.34:443

193.90.12.121:3098
rc4.plain
rc4.plain
Signatures 6

Filter: none

Discovery
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    Tags

  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1632-1-0x0000000000430000-0x000000000046D000-memory.dmpdridex_ldr
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    31632rundll32.exe
    61632rundll32.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    rundll32.exe

    Tags

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUArundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1068 wrote to memory of 16321068rundll32.exerundll32.exe
    PID 1068 wrote to memory of 16321068rundll32.exerundll32.exe
    PID 1068 wrote to memory of 16321068rundll32.exerundll32.exe
    PID 1068 wrote to memory of 16321068rundll32.exerundll32.exe
    PID 1068 wrote to memory of 16321068rundll32.exerundll32.exe
    PID 1068 wrote to memory of 16321068rundll32.exerundll32.exe
    PID 1068 wrote to memory of 16321068rundll32.exerundll32.exe
Processes 2
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\j4r7zap.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\j4r7zap.dll,#1
      Blocklisted process makes network request
      Checks whether UAC is enabled
      PID:1632
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads

                        • memory/1088-2-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

                          Download

                        • memory/1632-0-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1632-1-0x0000000000430000-0x000000000046D000-memory.dmp

                          Download