General

  • Target

    Jeqon Original.bat.zip

  • Size

    7KB

  • Sample

    201211-ymjx35b2kn

  • MD5

    27a38674463492be7f0bd6c5d0c9ae56

  • SHA1

    e7527c0b7ea8a939ab9daa39015c5dd957adb04c

  • SHA256

    39941719b8830c9f6f023a105c994b10bd2063c0df4504b01ced0a9d2050256b

  • SHA512

    9b46a24d35aa2e38298cce9f360d8868a195ca9880ff0003feabb112e573900e4c237710406894ae60c64f007319decf3a6a7a5a99c33aca59a7e5665d6e629a

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://findqualityparts.com/kr44dt.zip

exe.dropper

https://saelectronicstrading.com/dekkp2ciq.zip

exe.dropper

http://loftkultur.binkhalidinternational.com/hh7lww450.zip

exe.dropper

http://excursoesdeinhamais.resultaweb.com.br/edyk3dbr.zip

exe.dropper

http://vibeautospa.com/xm9d9i.zip

exe.dropper

https://greeninvestconsulting.com/c51qtl1uf.zip

exe.dropper

https://owl-squad.com/icg2mmdqx.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cutt.ly/phEd17l

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.189.58.222/bamm.exe

Extracted

Family

dridex

Botnet

10555

C2

104.131.164.93:443

46.101.90.205:4643

27.254.174.84:4443

92.94.251.127:3786

rc4.plain
rc4.plain

Targets

    • Target

      Jeqon Original.bat

    • Size

      22KB

    • MD5

      f57f31e108400b750a51bcf9558224b3

    • SHA1

      89c501e3682a9a67c0a4c10bd7bb3ab5c1bbe6c1

    • SHA256

      fb4eaf0f3a0829e333be1d7cff359ef895bf3926b835302e32827e2a7ef8d2ef

    • SHA512

      c442f8278a090cfe1271c84ae6d47d3beea4c3fdc84eac30bcb6ee8052f51e95afb8c715b0c6c255556f2c1a67e436adb50bfcb67ad52115affa5394203a3fd7

    • Dridex

      Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    • Modifies system executable filetype association

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Dridex Loader

      Detects Dridex both x86 and x64 loader in memory.

    • Modifies boot configuration data using bcdedit

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Stops running service(s)

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Use of msiexec (install) with remote resource

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Change Default File Association

1
T1042

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

2
T1089

File Deletion

2
T1107

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

3
T1490

Service Stop

1
T1489

Tasks