dridex | 7ba8fd7fe1279dd20b2b62168cdc5436acb2b61c6725f57dd79d583206b7751b

General

Target

cc3b7266c278d42cf82847332198b2ef_JaffaCakes118.vbs
Size

1.4MB
MD5

cc3b7266c278d42cf82847332198b2ef
SHA1

99fd697283f56cef6ace5f851f0c9b631ae13906
SHA256

7ba8fd7fe1279dd20b2b62168cdc5436acb2b61c6725f57dd79d583206b7751b
SHA512

c9dd0b22e95d982c7f36e398038cbcf732cc6d65b65d7210407e9f05a97758908f99693eeb19391613fe9c3869b35375764b747bd5ac9500a0b805c61396b75a
SSDEEP

24576:xQGaLTG43lNgtOtBjeDYtJqVIjtkbiNKydy7Ducn3YQdfzbgS8JtjdsJxQ7lxO6N:I

Score

10^/10

dridex botnet discovery loader

Malware Config

Extracted

Family

dridex

C2

176.126.243.82:443

167.114.122.37:691

66.34.201.20:8443

46.105.111.191:691

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1980	rundll32.exe	30

Dridex Loader 3 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral1/memory/2084-29-0x0000000002120000-0x0000000002A83000-memory.dmp	dridex_ldr
behavioral1/memory/2084-27-0x0000000002120000-0x0000000002A83000-memory.dmp	dridex_ldr
behavioral1/memory/2084-30-0x0000000002120000-0x0000000002A83000-memory.dmp	dridex_ldr

Loads dropped DLL 1 IoCs

pid	Process
2084	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2896	WScript.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2084	2972	rundll32.exe	32
PID 2972 wrote to memory of 2084	2972	rundll32.exe	32
PID 2972 wrote to memory of 2084	2972	rundll32.exe	32
PID 2972 wrote to memory of 2084	2972	rundll32.exe	32
PID 2972 wrote to memory of 2084	2972	rundll32.exe	32
PID 2972 wrote to memory of 2084	2972	rundll32.exe	32
PID 2972 wrote to memory of 2084	2972	rundll32.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3b7266c278d42cf82847332198b2ef_JaffaCakes118.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2896

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\xEGLTqDYlgDVu.txt, FontCache
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\xEGLTqDYlgDVu.txt, FontCache
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WNFUFG~1.ZIP

Filesize
210KB

MD5
d9a5144cc0aec565c701c75e42c0d955

SHA1
31e1c56b716f8c1147cec7ae2e61cad5a132ed34

SHA256
0829e0a1e2afe2b4a9ed7c191ff47e5b75f84642271c3e084efb0c008ec09934

SHA512
e60aef097d2d997356905c41d31153d45390405ac9954521a2b4c467bc17018af55c3feb295df5465c7309102533b4b1806e8eac9fcdaa574b8a8aa6e313bded

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEGLTqDYlgDVu.txt

Filesize
364KB

MD5
971599aea536c511a27cc5b34216cc47

SHA1
14fadefb9927148a490dbc4782f45471e4e80f78

SHA256
9964db67176dea39fae2922636a42d8b246d6f5f8b900ec8811589baec74ff04

SHA512
4430b3acb90b5e540930c18a799f46282f1f5dafbda7a0cb909bfd9aaa332cfd7e1609c00e22e3c080e762ce923de7beb54fd3433a49ae5fd2c289515571d719

Download Submit
memory/2084-25-0x0000000002120000-0x0000000002A83000-memory.dmp

Filesize
9.4MB

Download
memory/2084-26-0x0000000002120000-0x0000000002A83000-memory.dmp

Filesize
9.4MB

Download
memory/2084-29-0x0000000002120000-0x0000000002A83000-memory.dmp

Filesize
9.4MB

Download
memory/2084-27-0x0000000002120000-0x0000000002A83000-memory.dmp

Filesize
9.4MB

Download
memory/2084-30-0x0000000002120000-0x0000000002A83000-memory.dmp

Filesize
9.4MB

Download
memory/2896-9-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing