dridex | de71238112f239dc2aadbad129db8beb45a64a5e3da042929a7b85480fdd11a1

Analysis

max time kernel
57s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc7af63e6b7bb5786a883cc88d84c0f_JaffaCakes118.dll
Size

296KB
MD5

0cc7af63e6b7bb5786a883cc88d84c0f
SHA1

62081e06d03f6332db9d6fb69fc920c887d1fb45
SHA256

de71238112f239dc2aadbad129db8beb45a64a5e3da042929a7b85480fdd11a1
SHA512

f6add26b1ed9d6aebff04731153ae75cf408742dbf8a706f8b87b1ed6d8bc4f4bfdd8df83bc003548c7b6ebfafaa1cdf3233f9aeaf1e83fab4a11e66a71e98c5
SSDEEP

6144:gX0++0XgkCbjM69qzmyEuoUvcEfjQ026I8ZCovc5tffn:0P6JqOnScOjQ/ICovcb3n

Score

10^/10

dridex 10444 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10444

199.66.90.63:443

85.214.26.7:3389

51.68.224.245:4646

107.175.87.150:3889

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 'dmod' strings 2 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1760-0-0x0000000075450000-0x000000007549B000-memory.dmp	dridex_ldr_dmod
behavioral1/memory/1760-3-0x0000000075450000-0x000000007549B000-memory.dmp	dridex_ldr_dmod

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2440 wrote to memory of 1760	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1760	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1760	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1760	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1760	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1760	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1760	2440	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0cc7af63e6b7bb5786a883cc88d84c0f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0cc7af63e6b7bb5786a883cc88d84c0f_JaffaCakes118.dll,#1
2⤵
PID:1760

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-2-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/1760-0-0x0000000075450000-0x000000007549B000-memory.dmp

Filesize
300KB

Download
memory/1760-3-0x0000000075450000-0x000000007549B000-memory.dmp

Filesize
300KB

Download