Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...1c.dll

windows7-x64

10

JaffaCakes...1c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 10:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3537d8c94177ba0334ed9088ddf30f30601277af7eb6c241286355cbaeb17f1c.dll

  • Size

    188KB

  • MD5

    7cf889c28e360480175e83b4c6ab1122

  • SHA1

    561e51abc3796f60ee06188ea1ad3e3ce23dce20

  • SHA256

    3537d8c94177ba0334ed9088ddf30f30601277af7eb6c241286355cbaeb17f1c

  • SHA512

    51c554fb7565dc9610597e77331b9ecdbf7f7694a42ae11192da08139ac68cd641bebc0b8b34da2618310274df767c981aa0f24d01b44133f1669efe150b1133

  • SSDEEP

    3072:lA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAobo:lzIqATVfQeV2FZalKq6jtGJWuTmd

Score
10/10
dridex22201botnetdiscoveryloader

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443
rc4.plain
1
KyrwRFvnPSJz1K6RG9FGBnfutYq4Kbv0AqNO1y41Jw
rc4.plain
1
aF35v54BafRSuy5kKzAyL5d7iE2gSrPPvsMOuf22FPl0HHQhMRlw8iMYOHxIDusi

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3537d8c94177ba0334ed9088ddf30f30601277af7eb6c241286355cbaeb17f1c.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3537d8c94177ba0334ed9088ddf30f30601277af7eb6c241286355cbaeb17f1c.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 300
        3⤵
        • Program crash
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1896-0-0x0000000000180000-0x0000000000186000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1896-1-0x0000000074550000-0x0000000074580000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1896-3-0x0000000000180000-0x0000000000186000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1896-2-0x0000000074550000-0x0000000074580000-memory.dmp

    Filesize

    192KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.