Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 05:48

General

  • Target

    JaffaCakes118_400d7ae24e5c13b7ef373eea18c3e74c8eb649e31abdfd70160fad01cffce720.dll

  • Size

    184KB

  • MD5

    2a2c3e302de78af62b633429bc30ae20

  • SHA1

    ee018a5a58842a5c76b4686c4d804cca226eae08

  • SHA256

    400d7ae24e5c13b7ef373eea18c3e74c8eb649e31abdfd70160fad01cffce720

  • SHA512

    0ee451c00a96772474a02b206b78c07a8fbd2298e3dfca34bc412269229fbc46ebe4f08b960d00dfb5542d027d8c8f81547c35fc6e0b10bffe8cd17c5d29f20b

  • SSDEEP

    3072:fiLVj+luuUXoPOK2z1WPRgg5YbW+d0Ojk1bSA5q/eaollzoxss7:fiLVCIT4WK2z1W+CUHZj4Skq/eaoroC

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

80.241.218.90:443

103.161.172.109:13786

87.98.128.76:5723

rc4.plain
1
XH2KyJtcJ7RSk5n0Ak2zUIsoefdhHZlKRYf
rc4.plain
1
4kmGii2PxD0nUmTK0vPB5SKEDW52nDGZTaRL4tBBLTmujo5lrSKFODpSSewAaVVxr3oshb5

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_400d7ae24e5c13b7ef373eea18c3e74c8eb649e31abdfd70160fad01cffce720.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_400d7ae24e5c13b7ef373eea18c3e74c8eb649e31abdfd70160fad01cffce720.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 220
        3⤵
        • Program crash
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2528-2-0x0000000000120000-0x0000000000126000-memory.dmp

    Filesize

    24KB

  • memory/2528-0-0x0000000075160000-0x000000007518F000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.