Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll
-
Size
188KB
-
MD5
f2f492e429e493de3dc50d1d0e6f1c89
-
SHA1
29a3c18b3c08ddea1196db7024db088554d897f5
-
SHA256
8a33e1d8569fc15804e88298a5eb85d2c6f452e43c55ea430e92b2db3ff700d4
-
SHA512
de45b20ffaf9dc33d9db0ab229be3c9ebada8237fa4fdb0e6eb6d00a693f89c614e3b70402077f1540cbff310928b4f4bdb21e096c80fdbc133ed5b88f475bf6
-
SSDEEP
3072:6A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAo1o:6zIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1972-0-0x0000000074BC0000-0x0000000074BF0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1140 1972 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2204 wrote to memory of 1972 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 1972 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 1972 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 1972 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 1972 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 1972 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 1972 2204 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1140 1972 rundll32.exe WerFault.exe PID 1972 wrote to memory of 1140 1972 rundll32.exe WerFault.exe PID 1972 wrote to memory of 1140 1972 rundll32.exe WerFault.exe PID 1972 wrote to memory of 1140 1972 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 3083⤵
- Program crash