Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 06:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc1c4a17cab235f20f9f6b7eebdb0e98_JaffaCakes118.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
fc1c4a17cab235f20f9f6b7eebdb0e98_JaffaCakes118.dll
-
Size
188KB
-
MD5
fc1c4a17cab235f20f9f6b7eebdb0e98
-
SHA1
3b008c85c429853be2cef0b012b7e76c149f0e37
-
SHA256
77279372bee65e66ca70d296bb0c9f8e7e22d1f81649a51fce24548970bb93f7
-
SHA512
817593d42ade70e8f8a57c100a010cef30f59ea90d46d59328d4c932f720ccf305fbc36cbacf51c607a2b1e780f6be9b6cecedcc9d6622917c6fb71d10ab8d09
-
SSDEEP
3072:CA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoOo:CzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4716-0-0x0000000074FB0000-0x0000000074FE0000-memory.dmp dridex_ldr behavioral2/memory/4716-2-0x0000000074FB0000-0x0000000074FE0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 756 4716 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1176 wrote to memory of 4716 1176 rundll32.exe rundll32.exe PID 1176 wrote to memory of 4716 1176 rundll32.exe rundll32.exe PID 1176 wrote to memory of 4716 1176 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc1c4a17cab235f20f9f6b7eebdb0e98_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc1c4a17cab235f20f9f6b7eebdb0e98_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 6643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4716 -ip 47161⤵