dridex | 92ee6861e2fd98bf5b4943cf7654b3df92337e3ed8906a8174c7aaa1cf4f4bfd

Analysis

max time kernel
140s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-04-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed500489a2159f6f3a53c6366a2e6201_JaffaCakes118.dll
Size

188KB
MD5

ed500489a2159f6f3a53c6366a2e6201
SHA1

c8f123f4b43b536f9ae6eba963a6598ff241b933
SHA256

92ee6861e2fd98bf5b4943cf7654b3df92337e3ed8906a8174c7aaa1cf4f4bfd
SHA512

be292dfd7369af9a4904a8183ed65dd25e08dafe9d0f51d4be011415b8536092bc932ca5e75f8762d54a16feaf102ab2637403ab7f2496da0b47ddf222c014d2
SSDEEP

3072:WA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAo2o:WzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

dridex 22201 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2336-0-0x0000000075000000-0x0000000075030000-memory.dmp	dridex_ldr
behavioral1/memory/2336-2-0x0000000075000000-0x0000000075030000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1984 2336 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1984	2336	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1512 wrote to memory of 2336	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2336	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2336	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2336	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2336	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2336	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2336	1512	rundll32.exe	rundll32.exe
PID 2336 wrote to memory of 1984	2336	rundll32.exe	WerFault.exe
PID 2336 wrote to memory of 1984	2336	rundll32.exe	WerFault.exe
PID 2336 wrote to memory of 1984	2336	rundll32.exe	WerFault.exe
PID 2336 wrote to memory of 1984	2336	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed500489a2159f6f3a53c6366a2e6201_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed500489a2159f6f3a53c6366a2e6201_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 300
3⤵
- Program crash
PID:1984

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2336-0-0x0000000075000000-0x0000000075030000-memory.dmp

Filesize
192KB

Download
memory/2336-1-0x00000000000C0000-0x00000000000C6000-memory.dmp

Filesize
24KB

Download
memory/2336-2-0x0000000075000000-0x0000000075030000-memory.dmp

Filesize
192KB

Download