Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8648fe8a722044918faa543988eea1b0_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
8648fe8a722044918faa543988eea1b0_JaffaCakes118.dll
-
Size
180KB
-
MD5
8648fe8a722044918faa543988eea1b0
-
SHA1
e99252450542b0c73d11fbbeb2069879ab8268f5
-
SHA256
ed5992735e4d63c6aef98f031156bc74bc10041e1dc19b3b404d9694b74f1e31
-
SHA512
e8e699a7836707d479cc9cabe2689ef854c0cc913fda0d19878a8fe8e78cc86bc647caf0e9b159662cfdc33940a2f6547227f49089f8e301c0abb7862d95b870
-
SSDEEP
3072:hD2xFMJeSjU91NwhzvGQ5Fv6GKWiEAZxRzvUAtfRZF5EKWiQqmyFDuA:hD7JeSjoCB5xhCFzsAtZj5NBQoF
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
139.162.232.153:443
5.83.45.48:5412
209.239.112.82:8333
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4120-0-0x0000000075000000-0x000000007502F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5008 4120 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1772 wrote to memory of 4120 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 4120 1772 rundll32.exe rundll32.exe PID 1772 wrote to memory of 4120 1772 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8648fe8a722044918faa543988eea1b0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8648fe8a722044918faa543988eea1b0_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 6123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4120 -ip 41201⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵