Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...3f.dll

windows7-x64

10

JaffaCakes...3f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/12/2024, 23:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ff52d02f17ddfd2101618c5a1c060effb09d9a188443f118e8609fc9de50143f.dll

  • Size

    161KB

  • MD5

    3cc5c34ab181b989c3b27ad5f6d6a8fa

  • SHA1

    df4911d5027a1bdac1e2cb77bb28c836c5dc761f

  • SHA256

    ff52d02f17ddfd2101618c5a1c060effb09d9a188443f118e8609fc9de50143f

  • SHA512

    7ffb6f05afc00fe3cb8f3d4cb65b2881e3a8d55fd2d652f8f6c16e09e6d8410287cb59f2cbe62bcdc3b38193b4e1f905a3d73ee32edb168069b2e3fbccb90d3c

  • SSDEEP

    3072:/jSuywe6x1ACSZEuNtV+TkqDXkyzbMeJRL3CNa/U9fStrveyk8TZgEd28GkFY:bnS62Fl+pkeJl3CvRStrFl+EYN

Score
10/10
dridex22202botnetdiscoveryloader

Malware Config

Extracted

Family

dridex

Botnet

22202

C2

78.46.73.125:443

185.148.168.26:2303

66.113.160.126:8172
rc4.plain
1
pK5evvTkrtXl1PdUwzbpkX0O3ZxXgoysjCME
rc4.plain
1
ntqn1EkZmmUoYMQPCPRqlhuLwfUs1imUpn8s4TcDWSSsOcwAchuhvuHdgMGmOB84m4IVTx

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff52d02f17ddfd2101618c5a1c060effb09d9a188443f118e8609fc9de50143f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff52d02f17ddfd2101618c5a1c060effb09d9a188443f118e8609fc9de50143f.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 712
        3⤵
        • Program crash
        PID:3632
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3640 -ip 3640
    1⤵
      PID:3536

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      182.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      182.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      22.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      22.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      182.129.81.91.in-addr.arpa
      dns
      72 B
       147 B
       1
      1

      DNS Request

      182.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3640-0-0x0000000010000000-0x000000001002E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3640-2-0x0000000002820000-0x0000000002826000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3640-3-0x0000000010000000-0x000000001002E000-memory.dmp

      Filesize

      184KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.