Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-04-2024 14:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll
-
Size
188KB
-
MD5
e2be33cb799cd823a2d88899971255d2
-
SHA1
f471630d1fea193e46192f024148f1ece1e19118
-
SHA256
de649fc31edc3e66987cd104284039da1537919f9e009b882b96a875a31a7662
-
SHA512
a7abfc80ac157001227f789d4e87aee316d9ad135c38fd8040436958373f52a7685d9da294923ec590cfa250d45cd1c76cf76e17229cdc1f23f71f6f394b5af1
-
SSDEEP
3072:MA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAomo:MzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2024-0-0x0000000075200000-0x0000000075230000-memory.dmp dridex_ldr behavioral1/memory/2024-2-0x0000000075200000-0x0000000075230000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2612 2024 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3012 wrote to memory of 2024 3012 rundll32.exe rundll32.exe PID 3012 wrote to memory of 2024 3012 rundll32.exe rundll32.exe PID 3012 wrote to memory of 2024 3012 rundll32.exe rundll32.exe PID 3012 wrote to memory of 2024 3012 rundll32.exe rundll32.exe PID 3012 wrote to memory of 2024 3012 rundll32.exe rundll32.exe PID 3012 wrote to memory of 2024 3012 rundll32.exe rundll32.exe PID 3012 wrote to memory of 2024 3012 rundll32.exe rundll32.exe PID 2024 wrote to memory of 2612 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 2612 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 2612 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 2612 2024 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2be33cb799cd823a2d88899971255d2_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 3083⤵
- Program crash