Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-04-2024 10:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e25f213401d7bfde6bbb833a98b627d7_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
e25f213401d7bfde6bbb833a98b627d7_JaffaCakes118.dll
-
Size
188KB
-
MD5
e25f213401d7bfde6bbb833a98b627d7
-
SHA1
7e45e77f407b5ae18c651674bedc4f00094b5b1e
-
SHA256
8a93ac385002f1fb544169c31329471f00190e590b710e604235075a5a2f471f
-
SHA512
e0f623b8fad23729c8ed8e7096be34730dd2f28e5d78a82cdca4c33eecea3269c0a989c7b189e7b7af9b77f2ebf6a6440031750ab96e235495b2bcca1e9b75b3
-
SSDEEP
3072:AA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoRo:AzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1988-0-0x0000000074C40000-0x0000000074C70000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2116 1988 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1968 wrote to memory of 1988 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1988 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1988 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1988 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1988 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1988 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1988 1968 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2116 1988 rundll32.exe WerFault.exe PID 1988 wrote to memory of 2116 1988 rundll32.exe WerFault.exe PID 1988 wrote to memory of 2116 1988 rundll32.exe WerFault.exe PID 1988 wrote to memory of 2116 1988 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e25f213401d7bfde6bbb833a98b627d7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e25f213401d7bfde6bbb833a98b627d7_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 3003⤵
- Program crash