Analysis
-
max time kernel
94s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2024, 22:16
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2810cea49584bc59b564b39fe10eb48c4eb5209e0b023b3095209c094fd0fe57.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_2810cea49584bc59b564b39fe10eb48c4eb5209e0b023b3095209c094fd0fe57.dll
-
Size
188KB
-
MD5
80518dbb675a866bcfa94f7291aaa733
-
SHA1
bb3d94db8e147932bb278add1b5f59f7c5406128
-
SHA256
2810cea49584bc59b564b39fe10eb48c4eb5209e0b023b3095209c094fd0fe57
-
SHA512
40d527695324dff65cba2f7103c3cf48e22d7adef0057529441991a46b1f2806225b329025e57828b10c4cdf4eb8a4f210a2b8450b5e1b4fca811595b634fbf5
-
SSDEEP
3072:0TA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoNo:0TzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
dridex
22201
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/2804-1-0x0000000074B00000-0x0000000074B30000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 4180 2804 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2804 2704 rundll32.exe 85 PID 2704 wrote to memory of 2804 2704 rundll32.exe 85 PID 2704 wrote to memory of 2804 2704 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2810cea49584bc59b564b39fe10eb48c4eb5209e0b023b3095209c094fd0fe57.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2810cea49584bc59b564b39fe10eb48c4eb5209e0b023b3095209c094fd0fe57.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 6883⤵
- Program crash
PID:4180
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2804 -ip 28041⤵PID:2436