Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2025, 04:26

General

  • Target

    JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e.dll

  • Size

    2.2MB

  • MD5

    0541b42d9e97b0f7bc762f924f49ca8e

  • SHA1

    861f752b3c8e4427c442f89dc586f2eb38d79084

  • SHA256

    a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59

  • SHA512

    23f4e2a6aa4ca22565a5c59991f526b21f78ce1c69d48858ab32bb72ead479b3eebefe02a840c10a92de7f3aa4140bd4fb7971a01f0fcb5340c820d4991b1150

  • SSDEEP

    12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2276
  • C:\Windows\system32\sdclt.exe
    C:\Windows\system32\sdclt.exe
    1⤵
      PID:4296
    • C:\Users\Admin\AppData\Local\bOl\sdclt.exe
      C:\Users\Admin\AppData\Local\bOl\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:372
    • C:\Windows\system32\bdechangepin.exe
      C:\Windows\system32\bdechangepin.exe
      1⤵
        PID:3356
      • C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe
        C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1296
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\BDECHA~1.EXE
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\bdechangepin.exe
          C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\BDECHA~1.EXE
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3200
      • C:\Windows\system32\SystemSettingsRemoveDevice.exe
        C:\Windows\system32\SystemSettingsRemoveDevice.exe
        1⤵
          PID:3696
        • C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe
          C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4584

        Network

              MITRE ATT&CK Enterprise v16

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\FFnv6\DUI70.dll

                Filesize

                2.5MB

                MD5

                e4d3fea4f3bb60656e4a25629339d5b8

                SHA1

                d807ce374503f49ebb7e700d1924246a96b8a724

                SHA256

                13cda88814fa5b674696d1d83daceb793c442c1b22aa2adab941be01fdd6c0a9

                SHA512

                0ef63b942010865d9bdac7e7879bc63e02ef8ce3391511f1c7b47fef44c5425e26d054826beb1cd7d5897677c43ef0ef39d6760370cadfeb8572adc5f37ad64d

              • C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe

                Filesize

                39KB

                MD5

                7853f1c933690bb7c53c67151cbddeb0

                SHA1

                d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

                SHA256

                9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

                SHA512

                831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

              • C:\Users\Admin\AppData\Local\bOl\ReAgent.dll

                Filesize

                2.2MB

                MD5

                dbd2c80741849adf96e7209d2d3df73e

                SHA1

                34e6504516055e2c8d9730e87d5b253cd31e296b

                SHA256

                817aa3d294cdf02ca01d7b1f92c7cc3ee4b757749b1120a344dab89a4793ee13

                SHA512

                2d6b8401a47686513a963ba58218fa8c77c7cc9418759e5fe6d65e4f162841fdb2c6c07ed572064ae0145d4186747209bbc81310bc13552a03620b852704d8ca

              • C:\Users\Admin\AppData\Local\bOl\sdclt.exe

                Filesize

                1.2MB

                MD5

                e09d48f225e7abcab14ebd3b8a9668ec

                SHA1

                1c5b9322b51c09a407d182df481609f7cb8c425d

                SHA256

                efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

                SHA512

                384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

              • C:\Users\Admin\AppData\Local\d5yDvwp4M\DUI70.dll

                Filesize

                2.5MB

                MD5

                fb6ee7cd18e5b8ad3e5ad86874c07bc3

                SHA1

                40251441b2383929d7b4314d4325b936c0bb1dd5

                SHA256

                fe41ca501440f2b8f177eb584528a3080723076368e87ba0acc56a134fd8b5d7

                SHA512

                aa0f097be1f4d4b90771dc1292ddaf6c1b44cd3267df874bb6669c316b314c3fa3c2b88768358ad6047b9dda0b4703c65f2791fd9ee1395a1fdd21cc7b2e1c0e

              • C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe

                Filesize

                373KB

                MD5

                601a28eb2d845d729ddd7330cbae6fd6

                SHA1

                5cf9f6f9135c903d42a7756c638333db8621e642

                SHA256

                4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

                SHA512

                1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dxsnejruwmwjo.lnk

                Filesize

                1KB

                MD5

                60acbe85f7365ae18f55de8c67f33cfa

                SHA1

                08a7df9ff8ae4b7c36e9c95318a8ee69aec9ad4e

                SHA256

                20321534c87a82d08afa280a8bb103dc92aff8f5bca984016e8b519690864560

                SHA512

                22928c87f8a5d5488d284a2d098a3b5a657aa365bcb337ca9d07d0b02aa0debc0c8136fd0f9486ad2b28b065322f03637630b9ad539329d7ecf9e11e865a08d3

              • memory/372-98-0x000001F78AAC0000-0x000001F78AAC7000-memory.dmp

                Filesize

                28KB

              • memory/1296-113-0x0000020E5C790000-0x0000020E5C797000-memory.dmp

                Filesize

                28KB

              • memory/2276-3-0x000001ACDBDF0000-0x000001ACDBDF7000-memory.dmp

                Filesize

                28KB

              • memory/2276-0-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/2276-7-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-32-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-25-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-61-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-60-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-59-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-58-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-56-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-55-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-52-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-51-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-49-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-48-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-47-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-46-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-45-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-44-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-43-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-42-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-41-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-40-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-38-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-36-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-33-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-34-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-89-0x00007FF82B280000-0x00007FF82B290000-memory.dmp

                Filesize

                64KB

              • memory/3432-31-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-30-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-29-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-28-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-26-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-27-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-88-0x0000000000B10000-0x0000000000B17000-memory.dmp

                Filesize

                28KB

              • memory/3432-20-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-23-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-22-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-64-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-63-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-19-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-18-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-17-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-57-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-16-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-54-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-15-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-53-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-14-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-50-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-13-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-12-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-11-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-10-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-39-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-37-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-8-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-62-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-35-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-9-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-4-0x0000000002A40000-0x0000000002A41000-memory.dmp

                Filesize

                4KB

              • memory/3432-6-0x00007FF82A0CA000-0x00007FF82A0CB000-memory.dmp

                Filesize

                4KB

              • memory/3432-24-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3432-21-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB