Analysis
-
max time kernel
172s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-04-2024 11:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed47f7d4c68d6ecd3021cca2ff44408a_JaffaCakes118.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
ed47f7d4c68d6ecd3021cca2ff44408a_JaffaCakes118.dll
-
Size
188KB
-
MD5
ed47f7d4c68d6ecd3021cca2ff44408a
-
SHA1
0e6c7c041a95a9fc7796915c39cefab49b5b7863
-
SHA256
103028c7652fc7b99c2e1af9f55cc9712cfb8c4f8dd9426b9bf827a10f497512
-
SHA512
581c83c350b2da8647a419cc93ad34518af04c7b8f2950410ca75fea5e861584dc16da9cdba8936c8d88aeca53f4cea383c5fe6b08fa1e9ee982d851217622e9
-
SSDEEP
3072:hH0uyjZqEpAK+Gf78TBdrXkTM5vhRg9Esf0DwvtyMpVnpA+z6tX8sxKViWm7dU:hUua/Pv7YNhRIEZDeXVpAxtMsxK
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2648-0-0x00000000745E0000-0x0000000074610000-memory.dmp dridex_ldr behavioral1/memory/2648-2-0x00000000745E0000-0x0000000074610000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2384 2648 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2576 wrote to memory of 2648 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 2648 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 2648 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 2648 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 2648 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 2648 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 2648 2576 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2384 2648 rundll32.exe WerFault.exe PID 2648 wrote to memory of 2384 2648 rundll32.exe WerFault.exe PID 2648 wrote to memory of 2384 2648 rundll32.exe WerFault.exe PID 2648 wrote to memory of 2384 2648 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed47f7d4c68d6ecd3021cca2ff44408a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed47f7d4c68d6ecd3021cca2ff44408a_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 3083⤵
- Program crash