Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 10:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07d7d77033a62a22394399083da2d67d_JaffaCakes118.dll
Resource
win7-20240611-en
windows7-x64
4 signatures
150 seconds
General
-
Target
07d7d77033a62a22394399083da2d67d_JaffaCakes118.dll
-
Size
184KB
-
MD5
07d7d77033a62a22394399083da2d67d
-
SHA1
9610fbf0c6a626382eb4c1c005590e282ee6cda4
-
SHA256
d063a25fa2ccda0c87178079726a800fc0b3d1abe304c3400621bad4e0482289
-
SHA512
8d4a06951b83214e02597ebdf9811efcb38c2a7bb03774179630e9870d0ad70756d4c280f9a7a015a002e4427d1b529776e4efa2a73c2c90e57ec8322b1d33dd
-
SSDEEP
3072:mA3kqXpPKnXkU64fT/O7fbpvcI2yuOssp5kSmrzWV4S5:mA3kjn0GL/O7lvcITYekSSiV
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
207.148.81.119:443
185.157.82.209:8333
5.39.99.208:5412
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2716-0-0x0000000075710000-0x0000000075740000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 460 2716 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3892 wrote to memory of 2716 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 2716 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 2716 3892 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\07d7d77033a62a22394399083da2d67d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\07d7d77033a62a22394399083da2d67d_JaffaCakes118.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 6123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 27161⤵