Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2025, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e.dll
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e.dll
-
Size
2.2MB
-
MD5
0541b42d9e97b0f7bc762f924f49ca8e
-
SHA1
861f752b3c8e4427c442f89dc586f2eb38d79084
-
SHA256
a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59
-
SHA512
23f4e2a6aa4ca22565a5c59991f526b21f78ce1c69d48858ab32bb72ead479b3eebefe02a840c10a92de7f3aa4140bd4fb7971a01f0fcb5340c820d4991b1150
-
SSDEEP
12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3432-4-0x0000000002A40000-0x0000000002A41000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 372 sdclt.exe 1296 bdechangepin.exe 3200 bdechangepin.exe 4584 SystemSettingsRemoveDevice.exe -
Loads dropped DLL 4 IoCs
pid Process 372 sdclt.exe 1296 bdechangepin.exe 3200 bdechangepin.exe 4584 SystemSettingsRemoveDevice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kidykkjkirnxz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\RT8ROQ~1\\BDECHA~1.EXE" Process not Found -
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdechangepin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdechangepin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemSettingsRemoveDevice.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3432 Process not Found -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3432 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3432 wrote to memory of 4296 3432 Process not Found 90 PID 3432 wrote to memory of 4296 3432 Process not Found 90 PID 3432 wrote to memory of 372 3432 Process not Found 91 PID 3432 wrote to memory of 372 3432 Process not Found 91 PID 3432 wrote to memory of 3356 3432 Process not Found 94 PID 3432 wrote to memory of 3356 3432 Process not Found 94 PID 3432 wrote to memory of 1296 3432 Process not Found 95 PID 3432 wrote to memory of 1296 3432 Process not Found 95 PID 3432 wrote to memory of 2524 3432 Process not Found 96 PID 3432 wrote to memory of 2524 3432 Process not Found 96 PID 3432 wrote to memory of 3696 3432 Process not Found 98 PID 3432 wrote to memory of 3696 3432 Process not Found 98 PID 2524 wrote to memory of 3200 2524 cmd.exe 99 PID 2524 wrote to memory of 3200 2524 cmd.exe 99 PID 3432 wrote to memory of 4584 3432 Process not Found 100 PID 3432 wrote to memory of 4584 3432 Process not Found 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵PID:4296
-
C:\Users\Admin\AppData\Local\bOl\sdclt.exeC:\Users\Admin\AppData\Local\bOl\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:372
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵PID:3356
-
C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exeC:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\BDECHA~1.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\bdechangepin.exeC:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\BDECHA~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3200
-
-
C:\Windows\system32\SystemSettingsRemoveDevice.exeC:\Windows\system32\SystemSettingsRemoveDevice.exe1⤵PID:3696
-
C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exeC:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4584
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5e4d3fea4f3bb60656e4a25629339d5b8
SHA1d807ce374503f49ebb7e700d1924246a96b8a724
SHA25613cda88814fa5b674696d1d83daceb793c442c1b22aa2adab941be01fdd6c0a9
SHA5120ef63b942010865d9bdac7e7879bc63e02ef8ce3391511f1c7b47fef44c5425e26d054826beb1cd7d5897677c43ef0ef39d6760370cadfeb8572adc5f37ad64d
-
Filesize
39KB
MD57853f1c933690bb7c53c67151cbddeb0
SHA1d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA2569500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304
-
Filesize
2.2MB
MD5dbd2c80741849adf96e7209d2d3df73e
SHA134e6504516055e2c8d9730e87d5b253cd31e296b
SHA256817aa3d294cdf02ca01d7b1f92c7cc3ee4b757749b1120a344dab89a4793ee13
SHA5122d6b8401a47686513a963ba58218fa8c77c7cc9418759e5fe6d65e4f162841fdb2c6c07ed572064ae0145d4186747209bbc81310bc13552a03620b852704d8ca
-
Filesize
1.2MB
MD5e09d48f225e7abcab14ebd3b8a9668ec
SHA11c5b9322b51c09a407d182df481609f7cb8c425d
SHA256efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4
-
Filesize
2.5MB
MD5fb6ee7cd18e5b8ad3e5ad86874c07bc3
SHA140251441b2383929d7b4314d4325b936c0bb1dd5
SHA256fe41ca501440f2b8f177eb584528a3080723076368e87ba0acc56a134fd8b5d7
SHA512aa0f097be1f4d4b90771dc1292ddaf6c1b44cd3267df874bb6669c316b314c3fa3c2b88768358ad6047b9dda0b4703c65f2791fd9ee1395a1fdd21cc7b2e1c0e
-
Filesize
373KB
MD5601a28eb2d845d729ddd7330cbae6fd6
SHA15cf9f6f9135c903d42a7756c638333db8621e642
SHA2564d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA5121687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d
-
Filesize
1KB
MD560acbe85f7365ae18f55de8c67f33cfa
SHA108a7df9ff8ae4b7c36e9c95318a8ee69aec9ad4e
SHA25620321534c87a82d08afa280a8bb103dc92aff8f5bca984016e8b519690864560
SHA51222928c87f8a5d5488d284a2d098a3b5a657aa365bcb337ca9d07d0b02aa0debc0c8136fd0f9486ad2b28b065322f03637630b9ad539329d7ecf9e11e865a08d3