Analysis
-
max time kernel
92s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 06:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef48757774dbe22f7482600ef518e7e4_JaffaCakes118.dll
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
ef48757774dbe22f7482600ef518e7e4_JaffaCakes118.dll
-
Size
188KB
-
MD5
ef48757774dbe22f7482600ef518e7e4
-
SHA1
ca2dce048157444b3c6139f3ee084bb485373ba8
-
SHA256
aab0774e9e2ac03ea67cbdd327a14cabb7d2537eff129c37c4ded1a9ffc1b60f
-
SHA512
f3cf5884e6a165923dbc14b81af34361282849c0ac167d1fc07700f1023c03b52784140e66e808d4443ee2315a1773eb6dc0ac815d2d1c77138e72133d2c4033
-
SSDEEP
3072:YA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoro:YzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4824-0-0x00000000756B0000-0x00000000756E0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 548 4824 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 644 wrote to memory of 4824 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 4824 644 rundll32.exe rundll32.exe PID 644 wrote to memory of 4824 644 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef48757774dbe22f7482600ef518e7e4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef48757774dbe22f7482600ef518e7e4_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 48241⤵