dridex | aab0774e9e2ac03ea67cbdd327a14cabb7d2537eff129c37c4ded1a9ffc1b60f

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 06:01

Target

ef48757774dbe22f7482600ef518e7e4_JaffaCakes118.dll
Size

188KB
MD5

ef48757774dbe22f7482600ef518e7e4
SHA1

ca2dce048157444b3c6139f3ee084bb485373ba8
SHA256

aab0774e9e2ac03ea67cbdd327a14cabb7d2537eff129c37c4ded1a9ffc1b60f
SHA512

f3cf5884e6a165923dbc14b81af34361282849c0ac167d1fc07700f1023c03b52784140e66e808d4443ee2315a1773eb6dc0ac815d2d1c77138e72133d2c4033
SSDEEP

3072:YA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoro:YzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/4824-0-0x00000000756B0000-0x00000000756E0000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

548 4824 WerFault.exe rundll32.exe

pid	pid_target	process	target process
548	4824	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 644 wrote to memory of 4824	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 4824	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 4824	644	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef48757774dbe22f7482600ef518e7e4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef48757774dbe22f7482600ef518e7e4_JaffaCakes118.dll,#1
2⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 692
3⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 4824
1⤵
PID:4568

memory/4824-0-0x00000000756B0000-0x00000000756E0000-memory.dmp

Filesize
192KB

Download
memory/4824-1-0x00000000009C0000-0x00000000009C6000-memory.dmp

Filesize
24KB

Download