Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
aaedac77190667ab62eba165fc1c158e_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
aaedac77190667ab62eba165fc1c158e_JaffaCakes118.dll
-
Size
608KB
-
MD5
aaedac77190667ab62eba165fc1c158e
-
SHA1
164352b0bc2a2d54948d994a4b4e4d68ecd260e4
-
SHA256
79f9609b8eed0a77a76805747c4cef0af604d74656d354898f622428e52ceecc
-
SHA512
c939c6a48cf59012707e6e6af0da7f9598b001420649a5353684f1950147e77d55c3091f5ce4ba53217371c68e49e1712ff6eb4b2cc30a51740a2bc182c0b0ab
-
SSDEEP
12288:nZGQdqOGn8JqydLqQSeCqsVK8kPRGO35N9mVQzXc6:nZ0kWjeCVVK8kP9N9os
Malware Config
Extracted
dridex
10444
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 3 2100 rundll32.exe 5 2100 rundll32.exe 6 2100 rundll32.exe 7 2100 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1964 wrote to memory of 2100 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 2100 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 2100 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 2100 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 2100 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 2100 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 2100 1964 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aaedac77190667ab62eba165fc1c158e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aaedac77190667ab62eba165fc1c158e_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2100-0-0x0000000002090000-0x00000000021C4000-memory.dmpFilesize
1.2MB
-
memory/2100-2-0x0000000002090000-0x00000000021C4000-memory.dmpFilesize
1.2MB
-
memory/2100-4-0x0000000002090000-0x00000000021C4000-memory.dmpFilesize
1.2MB
-
memory/2100-6-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2100-7-0x0000000002090000-0x00000000021C4000-memory.dmpFilesize
1.2MB
-
memory/2100-8-0x0000000002090000-0x00000000021C4000-memory.dmpFilesize
1.2MB