Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-03-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
30c380426505d0cc6741782bb917671b_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
30c380426505d0cc6741782bb917671b_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
30c380426505d0cc6741782bb917671b
-
SHA1
e3584ded8526f2d2559e3bb5bbc6cb1e307c5f3c
-
SHA256
97b3e4014ca0d298804be4f599b0601b934f88940137f74c91828c984de30969
-
SHA512
80b75e3fcb55a5d6f0437a80214107c3e40e5aaeba60a194acd836143ae726b396ce3cec0b787cb43a63861aa2dd91e006a43ee86628808ae43d3ad40c5d434f
-
SSDEEP
24576:VehqOUx1kdlsk5OPOND4mXHD4tTrSbg86YXFsfS4XVMKG:VQYIEUDVpqYXz4qT
Malware Config
Extracted
dridex
10222
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2228 rundll32.exe 5 2228 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1640 wrote to memory of 2228 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 2228 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 2228 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 2228 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 2228 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 2228 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 2228 1640 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30c380426505d0cc6741782bb917671b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30c380426505d0cc6741782bb917671b_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:2228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2228-0-0x0000000001D90000-0x0000000001EF7000-memory.dmpFilesize
1.4MB
-
memory/2228-1-0x0000000000320000-0x0000000000362000-memory.dmpFilesize
264KB
-
memory/2228-2-0x0000000000790000-0x00000000007CD000-memory.dmpFilesize
244KB
-
memory/2228-3-0x0000000001D90000-0x0000000001EF7000-memory.dmpFilesize
1.4MB
-
memory/2228-5-0x0000000000790000-0x00000000007CD000-memory.dmpFilesize
244KB