Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
d7044a93e62fc987856a17bd21b84245_JaffaCakes118.dll
Resource
win7-20240729-en
General
-
Target
d7044a93e62fc987856a17bd21b84245_JaffaCakes118.dll
-
Size
376KB
-
MD5
d7044a93e62fc987856a17bd21b84245
-
SHA1
64eca0c5ff2564df922acef6b04613fd77a41d84
-
SHA256
499ca0fe7ccf47d465bb6dc804b978cd2785e99e45dd257d15fcbf101b26bcab
-
SHA512
2669f3d2ae37a36de1e8ee2714c6ffdd2cf29f2fff439000e588d87173850b446650b0316b95f6df746f390c40d7437bf719e42e7095ff9bfbada9b992a1c8f2
-
SSDEEP
6144:1PRMLaqvB+YPrj0qfKNr3IBBX3k7UZpSN/wpgLhGew+GOeD6FAOCQx2Sl:1PRGLsYPrjbKluBHk7UZpowWDeD6FaSl
Malware Config
Extracted
dridex
10444
146.164.126.197:443
69.16.193.166:9443
193.90.12.122:3098
157.245.103.132:14043
Signatures
-
resource yara_rule behavioral1/memory/2672-1-0x0000000074BF0000-0x0000000074C5F000-memory.dmp dridex_ldr_dmod behavioral1/memory/2672-3-0x0000000074BF0000-0x0000000074C5F000-memory.dmp dridex_ldr_dmod behavioral1/memory/2672-8-0x0000000074BF0000-0x0000000074C5F000-memory.dmp dridex_ldr_dmod -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2672 2188 regsvr32.exe 30 PID 2188 wrote to memory of 2672 2188 regsvr32.exe 30 PID 2188 wrote to memory of 2672 2188 regsvr32.exe 30 PID 2188 wrote to memory of 2672 2188 regsvr32.exe 30 PID 2188 wrote to memory of 2672 2188 regsvr32.exe 30 PID 2188 wrote to memory of 2672 2188 regsvr32.exe 30 PID 2188 wrote to memory of 2672 2188 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d7044a93e62fc987856a17bd21b84245_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\d7044a93e62fc987856a17bd21b84245_JaffaCakes118.dll2⤵
- System Location Discovery: System Language Discovery
PID:2672
-