Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 03:17

General

  • Target

    JaffaCakes118_c7bbb1753841af407e5271c23d0ef8e41570715429b04e5687d42169bb6e3abc.dll

  • Size

    163KB

  • MD5

    dc7d0e00c6ecf4936552523fa83747bc

  • SHA1

    2d7df608f5a41cad4a6cd263b4af7a283d44c487

  • SHA256

    c7bbb1753841af407e5271c23d0ef8e41570715429b04e5687d42169bb6e3abc

  • SHA512

    1339c50c4bc4c9ee52a46c85ccc10a7c30a77c094fd90ca0850b07e0ae448e702f8676ac83269b2bfbbbd5fdc58ac5c484b18dbc4f09121c38863d23348a2f0a

  • SSDEEP

    3072:2ar6Ys6p54kfdo+APr0aYSbeO6aal8jeytFQTOpp2J:ws4p+ADxnSO6D2cOp

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

43.229.206.212:443

82.209.17.209:8172

162.241.209.225:4125

rc4.plain
1
16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC
rc4.plain
1
UlufoCqJDohDzGOdBY6ldd1IbFW5KV8BqCAnkqwdDzvq0CsZOOngL

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7bbb1753841af407e5271c23d0ef8e41570715429b04e5687d42169bb6e3abc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7bbb1753841af407e5271c23d0ef8e41570715429b04e5687d42169bb6e3abc.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 236
        3⤵
        • Program crash
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1860-0-0x0000000000220000-0x0000000000226000-memory.dmp

    Filesize

    24KB

  • memory/1860-1-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

  • memory/1860-4-0x0000000000220000-0x0000000000226000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.