Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 11:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc9ef5bc1b1cea4f33d5334473ee9ae4_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
fc9ef5bc1b1cea4f33d5334473ee9ae4_JaffaCakes118.dll
-
Size
184KB
-
MD5
fc9ef5bc1b1cea4f33d5334473ee9ae4
-
SHA1
ad637da69695b68f54b84fe521d3933d0828f22c
-
SHA256
3c45d8d07263ab9cd4333e165b9a34d590a8f808f0df0a09f9440ad123861833
-
SHA512
9a90bb5208d3b5eb70120b5aa46a206233316275c865154c18f1721468a8e6c53af1376b34b53843098e25fee2ddc791b0fd4545856ced279c106a5105dcd8b9
-
SSDEEP
3072:Uhd6lp2ffOeP3gv+i4W63iFfKfXM9mQltYwgO226+f33JFVQcY:U3fOeIv54W6SFKfc9me9v9/JFV
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
51.79.50.122:443
222.124.142.67:10443
138.201.222.158:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2368-0-0x0000000074C60000-0x0000000074C90000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2420 2368 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2840 wrote to memory of 2368 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 2368 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 2368 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 2368 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 2368 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 2368 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 2368 2840 rundll32.exe rundll32.exe PID 2368 wrote to memory of 2420 2368 rundll32.exe WerFault.exe PID 2368 wrote to memory of 2420 2368 rundll32.exe WerFault.exe PID 2368 wrote to memory of 2420 2368 rundll32.exe WerFault.exe PID 2368 wrote to memory of 2420 2368 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc9ef5bc1b1cea4f33d5334473ee9ae4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc9ef5bc1b1cea4f33d5334473ee9ae4_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 2803⤵
- Program crash