Malware Analysis Report

2025-05-28 17:25

Sample ID 250516-e2p72agq3s
Target JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e
SHA256 a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59
Tags
dridex botnet defense_evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59

Threat Level: Known bad

The file JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence trojan

Dridex family

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-16 04:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-16 04:26

Reported

2025-05-16 04:28

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kidykkjkirnxz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\RT8ROQ~1\\BDECHA~1.EXE" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bOl\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\bdechangepin.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 4296 N/A N/A C:\Windows\system32\sdclt.exe
PID 3432 wrote to memory of 4296 N/A N/A C:\Windows\system32\sdclt.exe
PID 3432 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\bOl\sdclt.exe
PID 3432 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\bOl\sdclt.exe
PID 3432 wrote to memory of 3356 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3432 wrote to memory of 3356 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3432 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe
PID 3432 wrote to memory of 1296 N/A N/A C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe
PID 3432 wrote to memory of 2524 N/A N/A C:\Windows\system32\cmd.exe
PID 3432 wrote to memory of 2524 N/A N/A C:\Windows\system32\cmd.exe
PID 3432 wrote to memory of 3696 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 3432 wrote to memory of 3696 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 2524 wrote to memory of 3200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\bdechangepin.exe
PID 2524 wrote to memory of 3200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\bdechangepin.exe
PID 3432 wrote to memory of 4584 N/A N/A C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe
PID 3432 wrote to memory of 4584 N/A N/A C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0541b42d9e97b0f7bc762f924f49ca8e.dll,#1

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\bOl\sdclt.exe

C:\Users\Admin\AppData\Local\bOl\sdclt.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe

C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\BDECHA~1.EXE

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\bdechangepin.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\TaskBar\RT8ROQ~1\BDECHA~1.EXE

C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

memory/2276-3-0x000001ACDBDF0000-0x000001ACDBDF7000-memory.dmp

memory/2276-0-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-6-0x00007FF82A0CA000-0x00007FF82A0CB000-memory.dmp

memory/3432-4-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/3432-9-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-35-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-62-0x0000000140000000-0x000000014022F000-memory.dmp

memory/372-98-0x000001F78AAC0000-0x000001F78AAC7000-memory.dmp

C:\Users\Admin\AppData\Local\bOl\ReAgent.dll

MD5 dbd2c80741849adf96e7209d2d3df73e
SHA1 34e6504516055e2c8d9730e87d5b253cd31e296b
SHA256 817aa3d294cdf02ca01d7b1f92c7cc3ee4b757749b1120a344dab89a4793ee13
SHA512 2d6b8401a47686513a963ba58218fa8c77c7cc9418759e5fe6d65e4f162841fdb2c6c07ed572064ae0145d4186747209bbc81310bc13552a03620b852704d8ca

C:\Users\Admin\AppData\Local\bOl\sdclt.exe

MD5 e09d48f225e7abcab14ebd3b8a9668ec
SHA1 1c5b9322b51c09a407d182df481609f7cb8c425d
SHA256 efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512 384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

memory/3432-89-0x00007FF82B280000-0x00007FF82B290000-memory.dmp

memory/3432-88-0x0000000000B10000-0x0000000000B17000-memory.dmp

memory/3432-61-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-60-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-59-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-58-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-56-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-55-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-52-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-51-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-49-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-48-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-47-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-46-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-45-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-44-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-43-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-42-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-41-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-40-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-38-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-36-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-33-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-34-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-32-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-31-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-30-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-29-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-28-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-26-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-27-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-25-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-20-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-23-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-22-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-64-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-63-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-19-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-18-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-17-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-57-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-16-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-54-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-15-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-53-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-14-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-50-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-13-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-12-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-11-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-10-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-39-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-37-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-8-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-24-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3432-21-0x0000000140000000-0x000000014022F000-memory.dmp

memory/2276-7-0x0000000140000000-0x000000014022F000-memory.dmp

C:\Users\Admin\AppData\Local\d5yDvwp4M\bdechangepin.exe

MD5 601a28eb2d845d729ddd7330cbae6fd6
SHA1 5cf9f6f9135c903d42a7756c638333db8621e642
SHA256 4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA512 1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

C:\Users\Admin\AppData\Local\d5yDvwp4M\DUI70.dll

MD5 fb6ee7cd18e5b8ad3e5ad86874c07bc3
SHA1 40251441b2383929d7b4314d4325b936c0bb1dd5
SHA256 fe41ca501440f2b8f177eb584528a3080723076368e87ba0acc56a134fd8b5d7
SHA512 aa0f097be1f4d4b90771dc1292ddaf6c1b44cd3267df874bb6669c316b314c3fa3c2b88768358ad6047b9dda0b4703c65f2791fd9ee1395a1fdd21cc7b2e1c0e

memory/1296-113-0x0000020E5C790000-0x0000020E5C797000-memory.dmp

C:\Users\Admin\AppData\Local\FFnv6\SystemSettingsRemoveDevice.exe

MD5 7853f1c933690bb7c53c67151cbddeb0
SHA1 d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA256 9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512 831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

C:\Users\Admin\AppData\Local\FFnv6\DUI70.dll

MD5 e4d3fea4f3bb60656e4a25629339d5b8
SHA1 d807ce374503f49ebb7e700d1924246a96b8a724
SHA256 13cda88814fa5b674696d1d83daceb793c442c1b22aa2adab941be01fdd6c0a9
SHA512 0ef63b942010865d9bdac7e7879bc63e02ef8ce3391511f1c7b47fef44c5425e26d054826beb1cd7d5897677c43ef0ef39d6760370cadfeb8572adc5f37ad64d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dxsnejruwmwjo.lnk

MD5 60acbe85f7365ae18f55de8c67f33cfa
SHA1 08a7df9ff8ae4b7c36e9c95318a8ee69aec9ad4e
SHA256 20321534c87a82d08afa280a8bb103dc92aff8f5bca984016e8b519690864560
SHA512 22928c87f8a5d5488d284a2d098a3b5a657aa365bcb337ca9d07d0b02aa0debc0c8136fd0f9486ad2b28b065322f03637630b9ad539329d7ecf9e11e865a08d3