Analysis
-
max time kernel
131s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 15:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f84345427edf55ddd3b5e9e1275729f2_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
General
-
Target
f84345427edf55ddd3b5e9e1275729f2_JaffaCakes118.dll
-
Size
188KB
-
MD5
f84345427edf55ddd3b5e9e1275729f2
-
SHA1
9e8a43139d1e0976abb06538517ae0886102dd56
-
SHA256
ecd5648aad315bab34608f662a21e87b60c63976143a6d49980484e2eca41640
-
SHA512
0bed13be16a3ba6003d4d3c0695c3205eb3e2e75c936aef06125ada9f166e3787784d61f067e027195023c6ed56378a598a54eb56d8a59a73450e4ba351331d6
-
SSDEEP
3072:QA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoHo:QzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5112-0-0x0000000074EB0000-0x0000000074EE0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4224 5112 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2436 wrote to memory of 5112 2436 rundll32.exe rundll32.exe PID 2436 wrote to memory of 5112 2436 rundll32.exe rundll32.exe PID 2436 wrote to memory of 5112 2436 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f84345427edf55ddd3b5e9e1275729f2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f84345427edf55ddd3b5e9e1275729f2_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5112 -ip 51121⤵