Analysis
-
max time kernel
104s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2025, 14:25
Behavioral task
behavioral1
Sample
VCRUNTIME140.dll
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
VCRUNTIME140.dll
Resource
win11-20250410-en
Behavioral task
behavioral3
Sample
opdrde.exe
Resource
win10v2004-20250314-en
General
-
Target
opdrde.exe
-
Size
416KB
-
MD5
2c2f7c1fb5974e77933414cd30be5818
-
SHA1
ffb84f543d343bfbe6d2cd9eabb449e11fcc5831
-
SHA256
fc8473aba51ecaabc40e22cdae028c57e8497188c23901044af838fc7c2ee66b
-
SHA512
f4e16b0c2d9318d848c7140d7cb42c305da03bfb5768bd442760e22ede7d35f17cf266017c7aefa5eb8aaf135264ad2e5769e77a50f0dda37421231b3d134b6d
-
SSDEEP
12288:w1cJxwt3tq5aDuumpb3kzEptIrZjgztwQbn:8t3gkDjmrtmZjgzGQz
Malware Config
Extracted
janelarat
aigodmoney009.access.ly
freelascdmx979.couchpotatofries.org
439mdxmex.damnserver.com
897midasgold.ddns.me
disrupmoney979.ditchyourip.com
kakarotomx.dnsfor.me
skigoldmex.dvrcam.info
i89bydzi.dynns.com
infintymexbrock.geekgalaxy.com
brockmex57.golffan.us
j1d3c3mex.homesecuritypc.com
myfunbmdablo99.hosthampster.com
irocketxmtm.hopto.me
hotdiamond777.loginto.me
imrpc7987bm.mmafan.biz
dmrpc77bm.myactivedirectory.com
jxjmrpc797bm.mydissent.net
askmrpc747bm.mymediapc.net
myinfintyme09.geekgalaxy.com
infintymex747.geekgalaxy.com
infintymexb.geekgalaxy.com
jinfintymexbr.geekgalaxy.com
minfintymexbr.geekgalaxy.com
cinfintymex.geekgalaxy.com
9mdxmex.damnserver.com
ikmidasgold.ddns.me
rexsrupmoney979.ditchyourip.com
kktkarotomx.dnsfor.me
megaskigoldmex.dvrcam.info
izt89bydzi.dynns.com
zeedinfintymexbrock.geekgalaxy.com
Signatures
-
Janelarat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opdrde.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1492 opdrde.exe 1492 opdrde.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1492 opdrde.exe