Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 23:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec40302c6da1f3379ad2db586768b348_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ec40302c6da1f3379ad2db586768b348_JaffaCakes118.dll
-
Size
180KB
-
MD5
ec40302c6da1f3379ad2db586768b348
-
SHA1
92d1815b0a70b317ba2efd4d027500bc16e1fd38
-
SHA256
a63d5af0c6d5817dd92a3efad5233a75704268b37194f4a36765af2d753dbf6e
-
SHA512
dce2177af00538e9c4809d8f6fd44cd440b7c76edb854e006497c591ce0cfff19b6c37d63c768846f5b37e5dc3f4dde32fa42fe802cd9378b2e55d4cafaf3702
-
SSDEEP
3072:bOE9O68ciPs9BrcOgPqT7nWLTkpv0W270f0muemESB4:iE9/QMcvPaSLTkp/5uJ
Malware Config
Extracted
Family
dridex
Botnet
22203
C2
195.154.146.84:443
45.56.121.87:8116
157.245.222.44:5723
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4616-0-0x0000000075070000-0x000000007509F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1656 4616 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2224 wrote to memory of 4616 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 4616 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 4616 2224 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec40302c6da1f3379ad2db586768b348_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec40302c6da1f3379ad2db586768b348_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4616 -ip 46161⤵