Resubmissions
16/04/2025, 14:22
250416-rpjwpsssbz 1026/12/2023, 16:43
231226-t8dvxaebf6 811/10/2023, 19:28
231011-x6qcpsae37 8Analysis
-
max time kernel
140s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2025, 14:22
Behavioral task
behavioral1
Sample
VCRUNTIME140.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
VCRUNTIME140.dll
Resource
win11-20250410-en
Behavioral task
behavioral3
Sample
opdrde.exe
Resource
win10v2004-20250314-en
General
-
Target
VCRUNTIME140.dll
-
Size
294KB
-
MD5
c18edb805748b4bd5013ccb47f061c2a
-
SHA1
37df375be813d91e11795a75872479c1a656e951
-
SHA256
0c873439bc0af08fdf0c335c5a94752413fd096c0c2f1138f17e786bc5ce59c3
-
SHA512
98684779ddcd0b9f7357396d3a1c734f2991b3daea18d33059d36aba3ed6c6385776c733f0d77a24d9bff82b5959b2e6ebf546b0c3dfad8b777dc2a62de00f74
-
SSDEEP
6144:7Cqqq3sQGimpaZQ199tB9PUZZ7+TDrprQEfZd:eqqq3mimpMQ1VVJPd
Malware Config
Extracted
janelarat
aigodmoney009.access.ly
freelascdmx979.couchpotatofries.org
439mdxmex.damnserver.com
897midasgold.ddns.me
disrupmoney979.ditchyourip.com
kakarotomx.dnsfor.me
skigoldmex.dvrcam.info
i89bydzi.dynns.com
infintymexbrock.geekgalaxy.com
brockmex57.golffan.us
j1d3c3mex.homesecuritypc.com
myfunbmdablo99.hosthampster.com
irocketxmtm.hopto.me
hotdiamond777.loginto.me
imrpc7987bm.mmafan.biz
dmrpc77bm.myactivedirectory.com
jxjmrpc797bm.mydissent.net
askmrpc747bm.mymediapc.net
myinfintyme09.geekgalaxy.com
infintymex747.geekgalaxy.com
infintymexb.geekgalaxy.com
jinfintymexbr.geekgalaxy.com
minfintymexbr.geekgalaxy.com
cinfintymex.geekgalaxy.com
9mdxmex.damnserver.com
ikmidasgold.ddns.me
rexsrupmoney979.ditchyourip.com
kktkarotomx.dnsfor.me
megaskigoldmex.dvrcam.info
izt89bydzi.dynns.com
zeedinfintymexbrock.geekgalaxy.com
Signatures
-
Janelarat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2660 rundll32.exe 2660 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2660 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3752 wrote to memory of 2660 3752 rundll32.exe 85 PID 3752 wrote to memory of 2660 3752 rundll32.exe 85 PID 3752 wrote to memory of 2660 3752 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-