Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 09:27
Static task
static1
Behavioral task
behavioral1
Sample
f32fce36e7b8c879aa8018a7486507d4_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
f32fce36e7b8c879aa8018a7486507d4_JaffaCakes118.dll
-
Size
664KB
-
MD5
f32fce36e7b8c879aa8018a7486507d4
-
SHA1
7180c9fa8517b9b5b73cc31233e711181c57c6ae
-
SHA256
afbc58cb91e5f23fa6981faf207426e612c8a2dd78e8bc79dbda502275d50a6f
-
SHA512
d552e101bb3f5cdbe5b79b247f8bbc3baa8178025e5572f6349a00016f4f469094cc0bc1aae8576de64b2d4e25303b060ec765d1cadf2067ee37bd546d4e7b68
-
SSDEEP
12288:3/0Qzqf0eli48JM+6TFKywVt6PbEYU0eyJTT/Mu9oV01uVoaEPH:v0zhlqn6TFKywvCbEOxDMu9oyLaEPH
Malware Config
Extracted
dridex
10222
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2028 rundll32.exe 5 2028 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2080 wrote to memory of 2028 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2028 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2028 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2028 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2028 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2028 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2028 2080 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f32fce36e7b8c879aa8018a7486507d4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f32fce36e7b8c879aa8018a7486507d4_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2028-0-0x0000000002210000-0x000000000234C000-memory.dmpFilesize
1.2MB
-
memory/2028-2-0x0000000002210000-0x000000000234C000-memory.dmpFilesize
1.2MB
-
memory/2028-3-0x0000000002210000-0x000000000234C000-memory.dmpFilesize
1.2MB
-
memory/2028-6-0x0000000002210000-0x000000000234C000-memory.dmpFilesize
1.2MB
-
memory/2028-7-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2028-8-0x0000000002210000-0x000000000234C000-memory.dmpFilesize
1.2MB