Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 23:06

General

  • Target

    JaffaCakes118_88cd4039e89da6ecf913cf1599a81e211fa912a53371d4bf255b73eb5788111f.dll

  • Size

    177KB

  • MD5

    37f84e4f8bf37278e810552e27fecf45

  • SHA1

    34768f7d6fcf89800e8d72e1a1821064b22d3e37

  • SHA256

    88cd4039e89da6ecf913cf1599a81e211fa912a53371d4bf255b73eb5788111f

  • SHA512

    5e0fc16ccdc4ba73105c813785a05db0cb69f977e73bb2b29dacfe2bbfd35129af57fa0de2fcfb08752eda73361f48141af9d3cb95100133b82f6eb80b974a67

  • SSDEEP

    3072:cuCmyBVtWxZCOCA4Hpl1tv18FTETA8ocya/OyoSJPAacbnid8DOHPJ+HJ:QzWxkOP4p2EesvcDi6DOHPJ

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

144.76.1.150:443

50.249.212.98:23399

104.168.154.79:5007

rc4.plain
1
YjbQeq5UMzLaqTuxGlME3hD5AZvvRe5dSrViGkA4D3iqQ
rc4.plain
1
5oO2mBtXHaMUXu5tCn6RiiaG0OpiGUDJgk3FMD9BEFejUNONblkzzEmo9zKtF

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88cd4039e89da6ecf913cf1599a81e211fa912a53371d4bf255b73eb5788111f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88cd4039e89da6ecf913cf1599a81e211fa912a53371d4bf255b73eb5788111f.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 220
        3⤵
        • Program crash
        PID:1188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2124-0-0x0000000000120000-0x0000000000126000-memory.dmp

    Filesize

    24KB

  • memory/2124-1-0x0000000074BA0000-0x0000000074BD1000-memory.dmp

    Filesize

    196KB

  • memory/2124-3-0x0000000000120000-0x0000000000126000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.