Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 12:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f3895703410910aa0ef2f7da6a12dd49_JaffaCakes118.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
f3895703410910aa0ef2f7da6a12dd49_JaffaCakes118.dll
-
Size
175KB
-
MD5
f3895703410910aa0ef2f7da6a12dd49
-
SHA1
18a05909877ba997e3acda5426d5a28a4159c089
-
SHA256
688bc9341860e2f04f307f162f71a628896bc6ca9fa200be54eee05a4b69cb72
-
SHA512
9e7fb076d894f8ab933ad00b2d1e4dfc9d92e2608ec1efe41d08346be287991a6cdc3528eb93935bf07c2525af1008e5e4199e976fbb1f25906ef563e88f2c2b
-
SSDEEP
3072:cC1Oe6ths2hyT0DzJfN3ZKU3YkmN5Sw4Q2kUl59Pn9ObAAW0f3:cC1Oem/DzJhok45X4HPYb
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
46.55.222.10:443
104.248.178.90:4664
173.212.243.155:7002
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2120-0-0x0000000075160000-0x0000000075190000-memory.dmp dridex_ldr behavioral1/memory/2120-2-0x0000000075160000-0x0000000075190000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2972 2120 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1756 wrote to memory of 2120 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2120 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2120 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2120 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2120 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2120 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 2120 1756 rundll32.exe rundll32.exe PID 2120 wrote to memory of 2972 2120 rundll32.exe WerFault.exe PID 2120 wrote to memory of 2972 2120 rundll32.exe WerFault.exe PID 2120 wrote to memory of 2972 2120 rundll32.exe WerFault.exe PID 2120 wrote to memory of 2972 2120 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3895703410910aa0ef2f7da6a12dd49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3895703410910aa0ef2f7da6a12dd49_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 2243⤵
- Program crash