Analysis
-
max time kernel
72s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 18:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffe794a1692afa2dd9a3f32d8ba65422_JaffaCakes118.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ffe794a1692afa2dd9a3f32d8ba65422_JaffaCakes118.dll
-
Size
173KB
-
MD5
ffe794a1692afa2dd9a3f32d8ba65422
-
SHA1
3fa1f9a65b3ed9a99cfb5392c0d9619dca7644a1
-
SHA256
5f95a17232dec1d4d7de87b52c4914414ec0d70f3618ec47abbe8ae92a2462ad
-
SHA512
df975d22402a26eb94cf9dc9bdd4da5e79b85105de10f99b83a260cff645c010876876054cc5e314b2e41b4699f9260095758faf64dfd92d21324ab7d487649e
-
SSDEEP
3072:qONLuxQI4JTJlYDFS6t2NAgEaakq7MCi6TM7EHNfFln:qO5PB3ot2ygEasni6TM7EHN
Malware Config
Extracted
Family
dridex
Botnet
22202
C2
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1544-0-0x00000000753C0000-0x00000000753F0000-memory.dmp dridex_ldr behavioral2/memory/1544-2-0x00000000753C0000-0x00000000753F0000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4356 wrote to memory of 1544 4356 rundll32.exe rundll32.exe PID 4356 wrote to memory of 1544 4356 rundll32.exe rundll32.exe PID 4356 wrote to memory of 1544 4356 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffe794a1692afa2dd9a3f32d8ba65422_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ffe794a1692afa2dd9a3f32d8ba65422_JaffaCakes118.dll,#12⤵
- Checks whether UAC is enabled