Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 22:08

General

  • Target

    JaffaCakes118_a17071f23c79edec3fb894b06957280ecc330a3b64e55beb69a10e0f896760ed.dll

  • Size

    188KB

  • MD5

    adcb1e42b988ca39454e5d33906aaab1

  • SHA1

    e2d84779a39d13e5639cb0cb3899294d123ccd53

  • SHA256

    a17071f23c79edec3fb894b06957280ecc330a3b64e55beb69a10e0f896760ed

  • SHA512

    2b1cb481a3abefe215cf39d50a9936e2482a5f9a148e1d27e366324c7c4c605153aaa7cd1bfa89ce7068255f3bb1fafb8b8d05f2c1bcf92239df06d38b544f7e

  • SSDEEP

    3072:tA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAogo:tzIqATVfQeV2FZalKq6jtGJWuTmd

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain
1
KyrwRFvnPSJz1K6RG9FGBnfutYq4Kbv0AqNO1y41Jw
rc4.plain
1
aF35v54BafRSuy5kKzAyL5d7iE2gSrPPvsMOuf22FPl0HHQhMRlw8iMYOHxIDusi

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a17071f23c79edec3fb894b06957280ecc330a3b64e55beb69a10e0f896760ed.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a17071f23c79edec3fb894b06957280ecc330a3b64e55beb69a10e0f896760ed.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 300
        3⤵
        • Program crash
        PID:1904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2332-0-0x0000000000170000-0x0000000000176000-memory.dmp

    Filesize

    24KB

  • memory/2332-1-0x0000000075400000-0x0000000075430000-memory.dmp

    Filesize

    192KB

  • memory/2332-3-0x0000000000170000-0x0000000000176000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.