Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...19.dll

windows7-x64

10

JaffaCakes...19.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 09:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8d19e2bcb03810cbf85be4f1ada87b9d3e9ca0e39942095b9b8b53969e43f419.dll

  • Size

    188KB

  • MD5

    17e88e4981d930ae40573b63681614c7

  • SHA1

    abc8f77f254c77ffc7bb64603268dbfe44e100f3

  • SHA256

    8d19e2bcb03810cbf85be4f1ada87b9d3e9ca0e39942095b9b8b53969e43f419

  • SHA512

    c4b215f2ea3c6936bf042a2faa0ffab3aa881bb080b01db435af761ef667425836547643d8925410a87d76479af364ce340feb7f08f034d767b761f7d35b728b

  • SSDEEP

    3072:xA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoJo:xzIqATVfQeV2FZalKq6jtGJWuTmd

Score
10/10
dridex22201botnetdiscoveryloader

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443
rc4.plain
1
KyrwRFvnPSJz1K6RG9FGBnfutYq4Kbv0AqNO1y41Jw
rc4.plain
1
aF35v54BafRSuy5kKzAyL5d7iE2gSrPPvsMOuf22FPl0HHQhMRlw8iMYOHxIDusi

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d19e2bcb03810cbf85be4f1ada87b9d3e9ca0e39942095b9b8b53969e43f419.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d19e2bcb03810cbf85be4f1ada87b9d3e9ca0e39942095b9b8b53969e43f419.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 300
        3⤵
        • Program crash
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1964-0-0x00000000001C0000-0x00000000001C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1964-1-0x0000000074AB0000-0x0000000074AE0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1964-3-0x00000000001C0000-0x00000000001C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1964-2-0x0000000074AB0000-0x0000000074AE0000-memory.dmp

    Filesize

    192KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.