Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_04463233364b1cc3f51e1f51e42a37c8.dll
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_04463233364b1cc3f51e1f51e42a37c8.dll
-
Size
1.9MB
-
MD5
04463233364b1cc3f51e1f51e42a37c8
-
SHA1
daee90d3e230444d0711d2d2c4ca97bd40a53b35
-
SHA256
68d435607aa9bbc1fb27b084a7851140e77afe279443c65f027d4277e888752f
-
SHA512
7aad8a1d5c80e7360a0632dc4fbe553e77e39eb22b79d780dbfd4dd999b4e267658c74b68a50e160a810c6156c0d62814650675ef3fab830480b3a6210236486
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3556-4-0x0000000002860000-0x0000000002861000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 2868 Utilman.exe 1564 SystemPropertiesProtection.exe 4688 Dxpserver.exe 2924 SystemPropertiesProtection.exe -
Loads dropped DLL 4 IoCs
pid Process 2868 Utilman.exe 1564 SystemPropertiesProtection.exe 4688 Dxpserver.exe 2924 SystemPropertiesProtection.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kidykkjkirnxz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\DOCUME~1\\1033\\MVy0P2Xe\\SYSTEM~1.EXE" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesProtection.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found 3556 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found Token: SeShutdownPrivilege 3556 Process not Found Token: SeCreatePagefilePrivilege 3556 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3556 wrote to memory of 4680 3556 Process not Found 92 PID 3556 wrote to memory of 4680 3556 Process not Found 92 PID 3556 wrote to memory of 2868 3556 Process not Found 93 PID 3556 wrote to memory of 2868 3556 Process not Found 93 PID 3556 wrote to memory of 4432 3556 Process not Found 97 PID 3556 wrote to memory of 4432 3556 Process not Found 97 PID 3556 wrote to memory of 1564 3556 Process not Found 98 PID 3556 wrote to memory of 1564 3556 Process not Found 98 PID 3556 wrote to memory of 888 3556 Process not Found 100 PID 3556 wrote to memory of 888 3556 Process not Found 100 PID 3556 wrote to memory of 632 3556 Process not Found 102 PID 3556 wrote to memory of 632 3556 Process not Found 102 PID 3556 wrote to memory of 4688 3556 Process not Found 103 PID 3556 wrote to memory of 4688 3556 Process not Found 103 PID 888 wrote to memory of 2924 888 cmd.exe 104 PID 888 wrote to memory of 2924 888 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04463233364b1cc3f51e1f51e42a37c8.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:808
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:4680
-
C:\Users\Admin\AppData\Local\bGHf2Mj2\Utilman.exeC:\Users\Admin\AppData\Local\bGHf2Mj2\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2868
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵PID:4432
-
C:\Users\Admin\AppData\Local\2oKxvID\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\2oKxvID\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\MVy0P2Xe\SYSTEM~1.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\MVy0P2Xe\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\MVy0P2Xe\SYSTEM~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924
-
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:632
-
C:\Users\Admin\AppData\Local\3R7hJ2\Dxpserver.exeC:\Users\Admin\AppData\Local\3R7hJ2\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4688
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD57bdcc619a8d30180f7e918b3572c937a
SHA14bb24aa95165112a1507906acefa11f07498b725
SHA256f1043d967d46fff7357dc112dcf9c56150268bd79ea019e7cf2d5d9886788475
SHA512729a041b54f93b2424c9d11b5aedd586e68ed07cc1fd582fc8f81baa46c39fa92cc67638ca83e931f940b9189e30b02362f43d1d44d7ca22e27cf1910cdd75b9
-
Filesize
82KB
MD526640d2d4fa912fc9a354ef6cfe500ff
SHA1a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA51226162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc
-
Filesize
310KB
MD56344f1a7d50da5732c960e243c672165
SHA1b6d0236f79d4f988640a8445a5647aff5b5410f7
SHA256b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f
SHA51273f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65
-
Filesize
1.9MB
MD58c953fe0dedac9226c456f61788e75f8
SHA159a49da87d321fc7ebc51bc92c311dc77ae2213d
SHA2567efc810e22154f9fb659fa109dd05d584eba68fb1169887eecb2fa405a484edd
SHA5120388eb1cb3ab219a31f4b7161f84c846e9a6bd73c29d94f4975ab9829c5022709bdbb96ec9aa05ca1ab50372e7f477544efa86db79146cb0576c56e1d0dafa88
-
Filesize
1.9MB
MD5b9edc40a26b469b2488fbaaa477dbf84
SHA13521efe7ef870c2bf31eaf081b10dd3854a21b27
SHA256720f66cc4d1d2f0c58ed33601c9e092eb4421eec29c87d67c9e00edc3f856b4c
SHA512b082f9354b7274e2fc06a6af49b16e4bb2012dfcd40918f7a4ecbd54dd3e63b9514b3cf7c8919c28d8d60f1c619e876de870b1c44620bb4acff5c4da06570637
-
Filesize
123KB
MD5a117edc0e74ab4770acf7f7e86e573f7
SHA15ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA51272883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97
-
Filesize
1KB
MD5976b3930779480d7aab29232bdf1bccc
SHA1e4710c51754a125c8a4ec63129e6dd1275a51289
SHA2565c8fb1459dce1d1a42007b97420a802b07bab7b77d1a8edef39fa6c6c5595e08
SHA512a490ee99c4e0ff060b1f541f1c57ce0d0d18fac3641fd2241afa323835151c312b99727296cd2ea2d00e196d3a55805b3255c96c3573277a5e7d48383dccc10d