Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 19:12 UTC

General

  • Target

    JaffaCakes118_5bd10a3d6a1b9299f155e26c71cd15d270770a3f9f3bbccdbfb6904761735c96.dll

  • Size

    188KB

  • MD5

    892f07a459dfc32ec620bb28ed641d4e

  • SHA1

    a79b3ec0d5d83baaed2de854ad9693243065abd8

  • SHA256

    5bd10a3d6a1b9299f155e26c71cd15d270770a3f9f3bbccdbfb6904761735c96

  • SHA512

    9f23df92575e4eb8232e5af9ac2d01356e379782fef53199c8af2dd2c767d26a8eecfee851d33e930cadb1953fad6cdb0819e380a664e2045b43b51d48145116

  • SSDEEP

    3072:EteMq7hp/YIzA6BZvlWnTDN2GL9L8NLXWruiuUCzTOwwc0cIzH9qM:4q7fYIHBZkTB6DWruUCOwjt

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

103.87.173.60:443

45.32.243.209:8116

207.180.208.54:4664

rc4.plain
1
O8gS34J9YSWjLHlls2UUrobOVwkv2gxcuQGDftg29
rc4.plain
1
uKMtcv1AqGZruPo9ospRTBws8THw75AMb8FgkX5O4e9TcekeUYyEZPcdBYFbpQD81

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bd10a3d6a1b9299f155e26c71cd15d270770a3f9f3bbccdbfb6904761735c96.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bd10a3d6a1b9299f155e26c71cd15d270770a3f9f3bbccdbfb6904761735c96.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 300
        3⤵
        • Program crash
        PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1028-0-0x00000000002A0000-0x00000000002A6000-memory.dmp

    Filesize

    24KB

  • memory/1028-1-0x0000000074860000-0x0000000074890000-memory.dmp

    Filesize

    192KB

  • memory/1028-4-0x00000000002A0000-0x00000000002A6000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.