Analysis

  • max time kernel
    92s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 20:51

General

  • Target

    JaffaCakes118_933b2d52560753cbea3f583fbf6438afa8b8785e90eead6dd6cac7a667668f75.dll

  • Size

    161KB

  • MD5

    ab378f375032f9540622e1f06ee3a4d8

  • SHA1

    8ffc15c7c4099607c86a3a34384215fba8e6b698

  • SHA256

    933b2d52560753cbea3f583fbf6438afa8b8785e90eead6dd6cac7a667668f75

  • SHA512

    bc654a142d7bc188f84f1361b0b06e2e834a53177532b447f08d493cee7f64704780b1398aaa4d0bf50beffdf952346fe81aa4e0303cb878c754d6c6817b09cd

  • SSDEEP

    3072:8k2X+QFg3UutDvUvoU8pz6EJEEhu6Tzace9kuaGA81/YXKHML/Yp8AF:iG3rUvoU4JE/Wzan9T7B/CKsL/Yy

Malware Config

Extracted

Family

dridex

Botnet

40112

C2

193.200.130.181:443

95.138.161.226:2303

167.114.113.13:4125

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_933b2d52560753cbea3f583fbf6438afa8b8785e90eead6dd6cac7a667668f75.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_933b2d52560753cbea3f583fbf6438afa8b8785e90eead6dd6cac7a667668f75.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 684
        3⤵
        • Program crash
        PID:1796
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4440 -ip 4440
    1⤵
      PID:4000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4440-0-0x00000000006F0000-0x00000000006F6000-memory.dmp

      Filesize

      24KB

    • memory/4440-1-0x0000000010000000-0x000000001002E000-memory.dmp

      Filesize

      184KB

    • memory/4440-3-0x00000000006F0000-0x00000000006F6000-memory.dmp

      Filesize

      24KB