Resubmissions

16/04/2025, 14:22

250416-rpjwpsssbz 10

26/12/2023, 16:43

231226-t8dvxaebf6 8

11/10/2023, 19:28

231011-x6qcpsae37 8

Analysis

  • max time kernel
    140s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/04/2025, 14:22

General

  • Target

    VCRUNTIME140.dll

  • Size

    294KB

  • MD5

    c18edb805748b4bd5013ccb47f061c2a

  • SHA1

    37df375be813d91e11795a75872479c1a656e951

  • SHA256

    0c873439bc0af08fdf0c335c5a94752413fd096c0c2f1138f17e786bc5ce59c3

  • SHA512

    98684779ddcd0b9f7357396d3a1c734f2991b3daea18d33059d36aba3ed6c6385776c733f0d77a24d9bff82b5959b2e6ebf546b0c3dfad8b777dc2a62de00f74

  • SSDEEP

    6144:7Cqqq3sQGimpaZQ199tB9PUZZ7+TDrprQEfZd:eqqq3mimpMQ1VVJPd

Score
10/10

Malware Config

Extracted

Family

janelarat

C2

aigodmoney009.access.ly

freelascdmx979.couchpotatofries.org

439mdxmex.damnserver.com

897midasgold.ddns.me

disrupmoney979.ditchyourip.com

kakarotomx.dnsfor.me

skigoldmex.dvrcam.info

i89bydzi.dynns.com

infintymexbrock.geekgalaxy.com

brockmex57.golffan.us

j1d3c3mex.homesecuritypc.com

myfunbmdablo99.hosthampster.com

irocketxmtm.hopto.me

hotdiamond777.loginto.me

imrpc7987bm.mmafan.biz

dmrpc77bm.myactivedirectory.com

jxjmrpc797bm.mydissent.net

askmrpc747bm.mymediapc.net

myinfintyme09.geekgalaxy.com

infintymex747.geekgalaxy.com

Signatures

  • JanelaRAT

    JanelaRAT is a trojan targeting FinTech users in the LATAM region written in C#.

  • Janelarat family
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5808
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5852

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/5852-0-0x0000000001180000-0x0000000001190000-memory.dmp

          Filesize

          64KB

        • memory/5852-1-0x00000000742FE000-0x00000000742FF000-memory.dmp

          Filesize

          4KB

        • memory/5852-2-0x0000000005220000-0x0000000005272000-memory.dmp

          Filesize

          328KB

        • memory/5852-3-0x0000000074C60000-0x0000000074CB2000-memory.dmp

          Filesize

          328KB

        • memory/5852-4-0x0000000005830000-0x0000000005DD6000-memory.dmp

          Filesize

          5.6MB

        • memory/5852-5-0x0000000005320000-0x00000000053B2000-memory.dmp

          Filesize

          584KB

        • memory/5852-6-0x0000000005DE0000-0x0000000005DEA000-memory.dmp

          Filesize

          40KB

        • memory/5852-7-0x0000000001180000-0x0000000001190000-memory.dmp

          Filesize

          64KB

        • memory/5852-8-0x0000000072DF0000-0x0000000072E05000-memory.dmp

          Filesize

          84KB

        • memory/5852-10-0x00000000742FE000-0x00000000742FF000-memory.dmp

          Filesize

          4KB