Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
21-04-2024 10:37
General
-
Target
ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll
-
Size
188KB
-
MD5
ff164b0d6c2ac0563843704650d04633
-
SHA1
95a282900af1b1cb589410752750e1c046f3cff1
-
SHA256
47407fe9d9f324bd2137d6711e2ccc782094b7792d1cbc5e246198873e5fc593
-
SHA512
b3e35944c27b33d3389c74fef38d782b5bcd9ce6d5f8153c6ccc6588b6de80b346643be1467a8891e8c372997b94e9b5f8d44ee531a211433f6074bd5b7cf775
-
SSDEEP
3072:GA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoxo:GzIqATVfQeV2FZalKq6jtGJWuTmd
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 2 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 3003⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2972-1-0x0000000074FF0000-0x0000000075020000-memory.dmpFilesize
192KB
-
memory/2972-0-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/2972-2-0x0000000074FF0000-0x0000000075020000-memory.dmpFilesize
192KB
-
memory/2972-5-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB