Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11-04-2024 11:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed500489a2159f6f3a53c6366a2e6201_JaffaCakes118.dll
Resource
win7-20240215-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ed500489a2159f6f3a53c6366a2e6201_JaffaCakes118.dll
-
Size
188KB
-
MD5
ed500489a2159f6f3a53c6366a2e6201
-
SHA1
c8f123f4b43b536f9ae6eba963a6598ff241b933
-
SHA256
92ee6861e2fd98bf5b4943cf7654b3df92337e3ed8906a8174c7aaa1cf4f4bfd
-
SHA512
be292dfd7369af9a4904a8183ed65dd25e08dafe9d0f51d4be011415b8536092bc932ca5e75f8762d54a16feaf102ab2637403ab7f2496da0b47ddf222c014d2
-
SSDEEP
3072:WA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAo2o:WzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2336-0-0x0000000075000000-0x0000000075030000-memory.dmp dridex_ldr behavioral1/memory/2336-2-0x0000000075000000-0x0000000075030000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1984 2336 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 1512 wrote to memory of 2336 1512 rundll32.exe rundll32.exe PID 2336 wrote to memory of 1984 2336 rundll32.exe WerFault.exe PID 2336 wrote to memory of 1984 2336 rundll32.exe WerFault.exe PID 2336 wrote to memory of 1984 2336 rundll32.exe WerFault.exe PID 2336 wrote to memory of 1984 2336 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed500489a2159f6f3a53c6366a2e6201_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed500489a2159f6f3a53c6366a2e6201_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 3003⤵
- Program crash