dridex | a3481ff1e1edc41543998b5b82572160783af6e3b7a79cb261e0d939cbee71a8

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 09:59

Target

f0ca6a178c582bda1a580e5dfd54ca0d_JaffaCakes118.dll
Size

188KB
MD5

f0ca6a178c582bda1a580e5dfd54ca0d
SHA1

d6bac55fefceff6436220cd948eec8fb775dff86
SHA256

a3481ff1e1edc41543998b5b82572160783af6e3b7a79cb261e0d939cbee71a8
SHA512

e214245b4d6de57ca235beda5df78641d6792fdb49ffbaaf90a10cc501766f0778cb91b74f2c6765973e850e9f08e2a0984eb3a902d11d7db1bdc46042195343
SSDEEP

3072:SH0uyjZqEpAK+Gf78TBdrXkTM5vhRg9Esf0DwvtyMpVnpA+z6tX8sxKViWZ7dU:SUua/Pv7YNhRIEZDeXVpAxtMsxK

Score

10^/10

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/2344-0-0x00000000758E0000-0x0000000075910000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4952 2344 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4952	2344	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1912 wrote to memory of 2344	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 2344	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 2344	1912	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0ca6a178c582bda1a580e5dfd54ca0d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0ca6a178c582bda1a580e5dfd54ca0d_JaffaCakes118.dll,#1
2⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 692
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2344 -ip 2344
1⤵
PID:364

memory/2344-0-0x00000000758E0000-0x0000000075910000-memory.dmp

Filesize
192KB

Download
memory/2344-1-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download