Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 10:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll
-
Size
188KB
-
MD5
ff164b0d6c2ac0563843704650d04633
-
SHA1
95a282900af1b1cb589410752750e1c046f3cff1
-
SHA256
47407fe9d9f324bd2137d6711e2ccc782094b7792d1cbc5e246198873e5fc593
-
SHA512
b3e35944c27b33d3389c74fef38d782b5bcd9ce6d5f8153c6ccc6588b6de80b346643be1467a8891e8c372997b94e9b5f8d44ee531a211433f6074bd5b7cf775
-
SSDEEP
3072:GA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoxo:GzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2972-1-0x0000000074FF0000-0x0000000075020000-memory.dmp dridex_ldr behavioral1/memory/2972-2-0x0000000074FF0000-0x0000000075020000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2944 2972 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2784 wrote to memory of 2972 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 2972 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 2972 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 2972 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 2972 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 2972 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 2972 2784 rundll32.exe rundll32.exe PID 2972 wrote to memory of 2944 2972 rundll32.exe WerFault.exe PID 2972 wrote to memory of 2944 2972 rundll32.exe WerFault.exe PID 2972 wrote to memory of 2944 2972 rundll32.exe WerFault.exe PID 2972 wrote to memory of 2944 2972 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 3003⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2972-1-0x0000000074FF0000-0x0000000075020000-memory.dmpFilesize
192KB
-
memory/2972-0-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/2972-2-0x0000000074FF0000-0x0000000075020000-memory.dmpFilesize
192KB
-
memory/2972-5-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB