Analysis
-
max time kernel
92s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 01:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49b0e4b2386c4c7f9b0d3f8748bd34e8_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
49b0e4b2386c4c7f9b0d3f8748bd34e8_JaffaCakes118.dll
-
Size
180KB
-
MD5
49b0e4b2386c4c7f9b0d3f8748bd34e8
-
SHA1
9450b46850cc52e1128e34e0639c57ed21034991
-
SHA256
28ce2c4d838a1de5a8bbbd10fc8b7db21c82e306338ed40933f7e107bf2a5b06
-
SHA512
501cc133f5c88f2fd450afd74f74c1d50d9da0ce9638e8c0894f7dc89057aacd41d4b3d0f8ebe798295d2cfad63ff5fea1499e4cdde0f523a82bf92e3a408b1e
-
SSDEEP
3072:JBoP6Q3jdsNavD2WgJK3MRwd70PyQzor/RIrlNo+mdEZ29WtHf91cfRLQfR:lQTdgaL2WKmoP5G/+rGdoVfmc
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/388-0-0x0000000075550000-0x000000007557F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4800 388 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4116 wrote to memory of 388 4116 rundll32.exe rundll32.exe PID 4116 wrote to memory of 388 4116 rundll32.exe rundll32.exe PID 4116 wrote to memory of 388 4116 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49b0e4b2386c4c7f9b0d3f8748bd34e8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\49b0e4b2386c4c7f9b0d3f8748bd34e8_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 388 -ip 3881⤵