Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 22:49

General

  • Target

    JaffaCakes118_8fb6961e7e63f91be6eaab0568855db1ca69fce0118c476c0e71d7f109b48e73.dll

  • Size

    172KB

  • MD5

    7ef1b9260e64fa5c9cdc1b10ca07983e

  • SHA1

    608a2ae1686463bdb10efbab8293f4e06982c0e5

  • SHA256

    8fb6961e7e63f91be6eaab0568855db1ca69fce0118c476c0e71d7f109b48e73

  • SHA512

    1d751a6cea567ff0d433a64cb344710b90d4b7978bf27f6ea2a9b2707c1f0200e51af187dab41554975b0fe324da27183898a99f0486704fb33a0d607314ed08

  • SSDEEP

    3072:AWpY/Syz2ita3Un6oaxewXvR2GNYHj8z+7/VczU9vh46WIOY4zmo3zAGW+r:AWpY/S8Z83VewfR2GyxVcA5hvjRCmikG

Malware Config

Extracted

Family

dridex

Botnet

40112

C2

210.65.244.187:443

162.241.41.92:2303

46.231.204.10:8172

185.183.159.100:4125

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fb6961e7e63f91be6eaab0568855db1ca69fce0118c476c0e71d7f109b48e73.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fb6961e7e63f91be6eaab0568855db1ca69fce0118c476c0e71d7f109b48e73.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 256
        3⤵
        • Program crash
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2072-0-0x00000000001B0000-0x00000000001B6000-memory.dmp

    Filesize

    24KB

  • memory/2072-1-0x0000000074A10000-0x0000000074A40000-memory.dmp

    Filesize

    192KB

  • memory/2072-3-0x00000000001B0000-0x00000000001B6000-memory.dmp

    Filesize

    24KB