dridex | 8c8896ec10234612dd5063dfa4f84ca815ace19c4c2b0b3def9c29be0029f390

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-04-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0704068b7be5426f38f2da38c965d04e_JaffaCakes118.dll
Size

280KB
MD5

0704068b7be5426f38f2da38c965d04e
SHA1

80ef0434d370a4b112cb632b1868aad93d53a9bd
SHA256

8c8896ec10234612dd5063dfa4f84ca815ace19c4c2b0b3def9c29be0029f390
SHA512

042f7eb2107965149f7cd249de9adcda4a5367d5a789fa4cc71450332f80c7c1d861653646c57faeebe173ca2371530585f0dd36b9164f46132f0652eaa98808
SSDEEP

6144:SqUtrd+yrmjlZI3vIVMPN6SG2H9X0A6NPXiGmJ5WMm:Sz+yoZIwVMPN6SG2x0dNfiGuI

Score

10^/10

dridex 10555 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10555

146.164.126.197:443

69.16.193.166:9443

193.90.12.122:3098

157.245.103.132:14043

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 'dmod' strings 1 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/2864-2-0x00000000002A0000-0x00000000002FC000-memory.dmp	dridex_ldr_dmod

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2552 wrote to memory of 2864	2552	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 2864	2552	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 2864	2552	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 2864	2552	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 2864	2552	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 2864	2552	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 2864	2552	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0704068b7be5426f38f2da38c965d04e_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0704068b7be5426f38f2da38c965d04e_JaffaCakes118.dll
2⤵
PID:2864

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2864-1-0x00000000002A0000-0x00000000002FC000-memory.dmp

Filesize
368KB

Download
memory/2864-2-0x00000000002A0000-0x00000000002FC000-memory.dmp

Filesize
368KB

Download