Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 04:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6968e3367f7987f979146dafdfd6066_JaffaCakes118.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
e6968e3367f7987f979146dafdfd6066_JaffaCakes118.dll
-
Size
188KB
-
MD5
e6968e3367f7987f979146dafdfd6066
-
SHA1
627b30debfb3acb971e954504aa1a9dfa152452c
-
SHA256
990f26b25c9cfca6c9b8e1000bec0084fe27d0f0681e9234046715b1d477fde0
-
SHA512
8cc4ed1247ed5880c6263e6a14e0adee33f6bcf0714748621427c91d96b8398bf4eb61abbaeea7acbf43ae094b6fb0f1e6150ae58609f4a44b44c3963f1aed22
-
SSDEEP
3072:TA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAo2o:TzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2980-1-0x0000000075500000-0x0000000075530000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4536 2980 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2976 wrote to memory of 2980 2976 rundll32.exe rundll32.exe PID 2976 wrote to memory of 2980 2976 rundll32.exe rundll32.exe PID 2976 wrote to memory of 2980 2976 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6968e3367f7987f979146dafdfd6066_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e6968e3367f7987f979146dafdfd6066_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 6883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2980 -ip 29801⤵