Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 01:08 UTC

General

  • Target

    JaffaCakes118_4c5075d51e6da350bef3faaaf90cfb80f16d2f5d0964f47ffc872bab2c565504.dll

  • Size

    161KB

  • MD5

    e060e0366916991d9b1fbc8b33e0d743

  • SHA1

    36b5292f61bc40da1fae597f4dfdc09106fdb9df

  • SHA256

    4c5075d51e6da350bef3faaaf90cfb80f16d2f5d0964f47ffc872bab2c565504

  • SHA512

    d0b65077f38880ab104c138498460e5188e9ee723afa3dcb3f444c82daac995cd675b3621bc01166e502213359ac375cc84cbf36b7d37875b960194109634e56

  • SSDEEP

    3072:Mp45bscWrhftr4SOX63M5jY17lh9sDVj9a/KBz9YlYU:W4KcMhVkbK3hDq9E8i

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

45.55.134.126:443

67.207.83.96:8172

193.160.214.95:4125

rc4.plain
1
HtN6NwtxXy1hPqziZkIqPpQJWCL3Kaq45TIC4YXDkud
rc4.plain
1
Sirp4DDadjnTLK9zfz7cEEESUoQtBSFyuOiHKWVQ32KIcubF46EGVIVZGXHxGRd

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c5075d51e6da350bef3faaaf90cfb80f16d2f5d0964f47ffc872bab2c565504.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c5075d51e6da350bef3faaaf90cfb80f16d2f5d0964f47ffc872bab2c565504.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 256
        3⤵
        • Program crash
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2428-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

  • memory/2428-1-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

  • memory/2428-3-0x00000000001D0000-0x00000000001D6000-memory.dmp

    Filesize

    24KB

  • memory/2428-2-0x0000000010000000-0x000000001002E000-memory.dmp

    Filesize

    184KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.