Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
fddd5965364792568919cdf03a75f6e0_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
fddd5965364792568919cdf03a75f6e0_JaffaCakes118.dll
-
Size
604KB
-
MD5
fddd5965364792568919cdf03a75f6e0
-
SHA1
682337c26641044580584720f3cc82cb8deae2c4
-
SHA256
ccc3dbe6e59089f3f31ceca66125cf024ae13c583275474e50af07788eafd89d
-
SHA512
774c892db5c0794c985918e1e4e46ea6da779aeea5ad9858120b9e49355938781c84806ba45d76dbd05f3c2e24099c7ccc52e7537459ba17d6d17dad11a6e13e
-
SSDEEP
12288:kuIBuwwMtjp4CqwqyaXPLAfx38TW9DiWUT2tq017JGoLbVW/:72b4wqyaDA5sTWiXT2tq07G2s/
Malware Config
Extracted
dridex
10444
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2272 rundll32.exe 5 2272 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1440 wrote to memory of 2272 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2272 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2272 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2272 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2272 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2272 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2272 1440 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fddd5965364792568919cdf03a75f6e0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fddd5965364792568919cdf03a75f6e0_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2272-0-0x00000000007E0000-0x0000000000910000-memory.dmpFilesize
1.2MB
-
memory/2272-2-0x00000000007E0000-0x0000000000910000-memory.dmpFilesize
1.2MB
-
memory/2272-4-0x00000000007E0000-0x0000000000910000-memory.dmpFilesize
1.2MB
-
memory/2272-5-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2272-3-0x00000000007E0000-0x0000000000910000-memory.dmpFilesize
1.2MB
-
memory/2272-7-0x00000000007E0000-0x0000000000910000-memory.dmpFilesize
1.2MB
-
memory/2272-8-0x00000000007E0000-0x0000000000910000-memory.dmpFilesize
1.2MB
-
memory/2272-9-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB