Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 20:09

General

  • Target

    d7044a93e62fc987856a17bd21b84245_JaffaCakes118.dll

  • Size

    376KB

  • MD5

    d7044a93e62fc987856a17bd21b84245

  • SHA1

    64eca0c5ff2564df922acef6b04613fd77a41d84

  • SHA256

    499ca0fe7ccf47d465bb6dc804b978cd2785e99e45dd257d15fcbf101b26bcab

  • SHA512

    2669f3d2ae37a36de1e8ee2714c6ffdd2cf29f2fff439000e588d87173850b446650b0316b95f6df746f390c40d7437bf719e42e7095ff9bfbada9b992a1c8f2

  • SSDEEP

    6144:1PRMLaqvB+YPrj0qfKNr3IBBX3k7UZpSN/wpgLhGew+GOeD6FAOCQx2Sl:1PRGLsYPrjbKluBHk7UZpowWDeD6FaSl

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

146.164.126.197:443

69.16.193.166:9443

193.90.12.122:3098

157.245.103.132:14043

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 'dmod' strings 3 IoCs

    Detects 'dmod' strings in Dridex loader.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d7044a93e62fc987856a17bd21b84245_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\d7044a93e62fc987856a17bd21b84245_JaffaCakes118.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2672-0-0x0000000074C4D000-0x0000000074C51000-memory.dmp

    Filesize

    16KB

  • memory/2672-1-0x0000000074BF0000-0x0000000074C5F000-memory.dmp

    Filesize

    444KB

  • memory/2672-3-0x0000000074BF0000-0x0000000074C5F000-memory.dmp

    Filesize

    444KB

  • memory/2672-4-0x0000000074C4D000-0x0000000074C51000-memory.dmp

    Filesize

    16KB

  • memory/2672-8-0x0000000074BF0000-0x0000000074C5F000-memory.dmp

    Filesize

    444KB