Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:09

General

  • Target

    JaffaCakes118_1bae3063675a22d9bebb2dc4d321c0f805c87d93bd2684e74921906e883bfe83.dll

  • Size

    184KB

  • MD5

    540c12c7878ec043edc639d0ea868fa9

  • SHA1

    bf53a5f58b86b372e7f42ca11a79f911b0bb6d84

  • SHA256

    1bae3063675a22d9bebb2dc4d321c0f805c87d93bd2684e74921906e883bfe83

  • SHA512

    75daad5496449fa05c352283af049d58dda6b253073de4bc5d2a932f3537a7d74783edf36c692aed3c233e20ec3407ce00efcbc705ecbf040461fe5e52cc0727

  • SSDEEP

    3072:5iLVj+luuUXoPOK2z1WPRgg5YbW+d0Ojk1bSA5q/eaozlzoxss7:5iLVCIT4WK2z1W+CUHZj4Skq/eaopoC

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

80.241.218.90:443

103.161.172.109:13786

87.98.128.76:5723

rc4.plain
1
XH2KyJtcJ7RSk5n0Ak2zUIsoefdhHZlKRYf
rc4.plain
1
4kmGii2PxD0nUmTK0vPB5SKEDW52nDGZTaRL4tBBLTmujo5lrSKFODpSSewAaVVxr3oshb5

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1bae3063675a22d9bebb2dc4d321c0f805c87d93bd2684e74921906e883bfe83.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1bae3063675a22d9bebb2dc4d321c0f805c87d93bd2684e74921906e883bfe83.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 220
        3⤵
        • Program crash
        PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2368-0-0x0000000074E70000-0x0000000074E9F000-memory.dmp

    Filesize

    188KB

  • memory/2368-2-0x00000000001A0000-0x00000000001A6000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.