Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 06:16

General

  • Target

    JaffaCakes118_6df30b8f6cc4675bb2656da2c743dd968f3293b6c7820d15310d15e4e673ad0f.dll

  • Size

    184KB

  • MD5

    2ea7fe8bc30e1f724afc46228f896398

  • SHA1

    93af97053818dfa7ffd618e243dcb79b6a59744d

  • SHA256

    6df30b8f6cc4675bb2656da2c743dd968f3293b6c7820d15310d15e4e673ad0f

  • SHA512

    5d04f1d2c508e756db5a7282f7c08f69d2cd4cd99ed7700f1775edd2a2f119e948ceb212bdb7dc391355ea549e537c1784a239b99a5f77fcd7239169405f9fe9

  • SSDEEP

    3072:piLVj+luuUXoPOK2z1WPRgg5YbW+d0Ojk1bSA5q/eaoolzoxss7:piLVCIT4WK2z1W+CUHZj4Skq/eao2oC

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

80.241.218.90:443

103.161.172.109:13786

87.98.128.76:5723

rc4.plain
1
XH2KyJtcJ7RSk5n0Ak2zUIsoefdhHZlKRYf
rc4.plain
1
4kmGii2PxD0nUmTK0vPB5SKEDW52nDGZTaRL4tBBLTmujo5lrSKFODpSSewAaVVxr3oshb5

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df30b8f6cc4675bb2656da2c743dd968f3293b6c7820d15310d15e4e673ad0f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df30b8f6cc4675bb2656da2c743dd968f3293b6c7820d15310d15e4e673ad0f.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 224
        3⤵
        • Program crash
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2860-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

    Filesize

    24KB

  • memory/2860-1-0x00000000753C0000-0x00000000753EF000-memory.dmp

    Filesize

    188KB

  • memory/2860-3-0x00000000001C0000-0x00000000001C6000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.