Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 21:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5f13c6bb1109d1197126921de074041_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
General
-
Target
e5f13c6bb1109d1197126921de074041_JaffaCakes118.dll
-
Size
188KB
-
MD5
e5f13c6bb1109d1197126921de074041
-
SHA1
6c21987c6231db7514ce3b4c93e2ca3df76c4902
-
SHA256
25b16667b3194dd3d15525eb88f274a305786de7e39fd789ff3da514379f7dcb
-
SHA512
203104e4a72ac6848e60c358896871ae66e35dc30dc14c7e9a399972749e062f9ebddb2c26d24a09b2e90f9a20808f49ea2cf1f6e91e7dc69e3c2de7c9a9b148
-
SSDEEP
3072:gA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAolo:gzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4928-0-0x0000000074A00000-0x0000000074A30000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4428 4928 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2376 wrote to memory of 4928 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 4928 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 4928 2376 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5f13c6bb1109d1197126921de074041_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5f13c6bb1109d1197126921de074041_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4928 -ip 49281⤵