Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll
-
Size
188KB
-
MD5
f2f492e429e493de3dc50d1d0e6f1c89
-
SHA1
29a3c18b3c08ddea1196db7024db088554d897f5
-
SHA256
8a33e1d8569fc15804e88298a5eb85d2c6f452e43c55ea430e92b2db3ff700d4
-
SHA512
de45b20ffaf9dc33d9db0ab229be3c9ebada8237fa4fdb0e6eb6d00a693f89c614e3b70402077f1540cbff310928b4f4bdb21e096c80fdbc133ed5b88f475bf6
-
SSDEEP
3072:6A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAo1o:6zIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1948-0-0x00000000751D0000-0x0000000075200000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1528 1948 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1580 wrote to memory of 1948 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1948 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1948 1580 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f492e429e493de3dc50d1d0e6f1c89_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 6883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1948 -ip 19481⤵