Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 10:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll
-
Size
188KB
-
MD5
ff164b0d6c2ac0563843704650d04633
-
SHA1
95a282900af1b1cb589410752750e1c046f3cff1
-
SHA256
47407fe9d9f324bd2137d6711e2ccc782094b7792d1cbc5e246198873e5fc593
-
SHA512
b3e35944c27b33d3389c74fef38d782b5bcd9ce6d5f8153c6ccc6588b6de80b346643be1467a8891e8c372997b94e9b5f8d44ee531a211433f6074bd5b7cf775
-
SSDEEP
3072:GA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoxo:GzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4196-0-0x0000000074EB0000-0x0000000074EE0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 752 4196 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4560 wrote to memory of 4196 4560 rundll32.exe rundll32.exe PID 4560 wrote to memory of 4196 4560 rundll32.exe rundll32.exe PID 4560 wrote to memory of 4196 4560 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff164b0d6c2ac0563843704650d04633_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4196 -ip 41961⤵