Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 21:59

General

  • Target

    JaffaCakes118_80b33c5e13764f695a3a8f35954ca1ba7a862aa541270a0f93b9bc05e970cf61.dll

  • Size

    184KB

  • MD5

    fed27c3328f4be7218d79fb6de2ecd2b

  • SHA1

    a22fae83b6c1c8ceabc70ca80073b70fedeb1ee5

  • SHA256

    80b33c5e13764f695a3a8f35954ca1ba7a862aa541270a0f93b9bc05e970cf61

  • SHA512

    1fc6ed921c9e3298aba888bed3b15755759662793c514e8cd2e788ab6f854ccfb8f8e8b0db79c43ed88f895ada9fac85caf40aea61d468af27e6d02744436ad6

  • SSDEEP

    3072:4JQ6H3ykY88YOSs+k1TwEuTcMIznNuOzlr1Xznku9Luk0eJww8J7a//2uFrSc:VfYOX+wTScR/Xzku9LVwAuG

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

80.241.218.90:443

103.161.172.109:13786

87.98.128.76:5723

rc4.plain
1
XH2KyJtcJ7RSk5n0Ak2zUIsoefdhHZlKRYf
rc4.plain
1
cYEsjNtMnqhfNdGdtxJHObrdyxC7I2RsYqPuLirrwkWgKf0csGFj3Ow4lgY2bwEnd8mTqve

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b33c5e13764f695a3a8f35954ca1ba7a862aa541270a0f93b9bc05e970cf61.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b33c5e13764f695a3a8f35954ca1ba7a862aa541270a0f93b9bc05e970cf61.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 220
        3⤵
        • Program crash
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2376-0-0x00000000001B0000-0x00000000001B6000-memory.dmp

    Filesize

    24KB

  • memory/2376-1-0x00000000752A0000-0x00000000752CF000-memory.dmp

    Filesize

    188KB

  • memory/2376-3-0x00000000001B0000-0x00000000001B6000-memory.dmp

    Filesize

    24KB

  • memory/2376-2-0x00000000752A0000-0x00000000752CF000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.