Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...a0.dll

windows7-x64

10

JaffaCakes...a0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 02:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_a5d136d5375cd2402cac335a27a1126d700edd2d3b228ae3c2cc0f7df69074a0.dll

  • Size

    188KB

  • MD5

    ce8a99d75bd4e92885495c657bfcfa1c

  • SHA1

    88f47626fbb5d133fec1ff50eb44d01049ff66d4

  • SHA256

    a5d136d5375cd2402cac335a27a1126d700edd2d3b228ae3c2cc0f7df69074a0

  • SHA512

    71bc3d6284a55210550124460d62e40bab92bc2daf8f72322028e6c9ffd2d205b5b84d30342ac0814246d4d739141b7d527bb9b6b81247d132dd4e0320c88e7e

  • SSDEEP

    3072:JteMq7hp/YIzA6BZvlWnTDN2GL9L8NLXWruiuUCzTOwwc0cIzv9qM:Fq7fYIHBZkTB6DWruUCOwjt

Score
10/10
dridex22201botnetdiscoveryloader

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

103.87.173.60:443

45.32.243.209:8116

207.180.208.54:4664
rc4.plain
1
O8gS34J9YSWjLHlls2UUrobOVwkv2gxcuQGDftg29
rc4.plain
1
uKMtcv1AqGZruPo9ospRTBws8THw75AMb8FgkX5O4e9TcekeUYyEZPcdBYFbpQD81

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d136d5375cd2402cac335a27a1126d700edd2d3b228ae3c2cc0f7df69074a0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d136d5375cd2402cac335a27a1126d700edd2d3b228ae3c2cc0f7df69074a0.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 692
        3⤵
        • Program crash
        PID:2548
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1724 -ip 1724
    1⤵
      PID:2868

    Network

    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      20.160.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      20.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1724-0-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1724-1-0x0000000075410000-0x0000000075440000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1724-3-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

      Filesize

      24KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.