Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2025, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_05895a9a51666b349018181c47a225dd.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_05895a9a51666b349018181c47a225dd.dll
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_05895a9a51666b349018181c47a225dd.dll
-
Size
1.8MB
-
MD5
05895a9a51666b349018181c47a225dd
-
SHA1
b668dcf35e678feb89d80132bd2caed305b00c4d
-
SHA256
7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a
-
SHA512
1fedf71e9ea9a6257bf1c8098e38b2043d9f52f21d06861166eeb626302833c4c58509c720b65d50a27a9db838cd0ffea05b81d5546f5ca787b81fc240a6f73a
-
SSDEEP
12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1icN:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnbb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3580-4-0x00000000009B0000-0x00000000009B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 5556 phoneactivate.exe 4992 mfpmp.exe 4840 quickassist.exe 2932 mfpmp.exe -
Loads dropped DLL 4 IoCs
pid Process 5556 phoneactivate.exe 4992 mfpmp.exe 4840 quickassist.exe 2932 mfpmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rqmyye = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\aJ\\mfpmp.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quickassist.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mfpmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1460 regsvr32.exe 1460 regsvr32.exe 1460 regsvr32.exe 1460 regsvr32.exe 1460 regsvr32.exe 1460 regsvr32.exe 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found 3580 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3580 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found Token: SeShutdownPrivilege 3580 Process not Found Token: SeCreatePagefilePrivilege 3580 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3580 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3580 wrote to memory of 5020 3580 Process not Found 95 PID 3580 wrote to memory of 5020 3580 Process not Found 95 PID 3580 wrote to memory of 5556 3580 Process not Found 96 PID 3580 wrote to memory of 5556 3580 Process not Found 96 PID 3580 wrote to memory of 4324 3580 Process not Found 98 PID 3580 wrote to memory of 4324 3580 Process not Found 98 PID 3580 wrote to memory of 4992 3580 Process not Found 99 PID 3580 wrote to memory of 4992 3580 Process not Found 99 PID 3580 wrote to memory of 3404 3580 Process not Found 100 PID 3580 wrote to memory of 3404 3580 Process not Found 100 PID 3580 wrote to memory of 1556 3580 Process not Found 102 PID 3580 wrote to memory of 1556 3580 Process not Found 102 PID 3580 wrote to memory of 4840 3580 Process not Found 103 PID 3580 wrote to memory of 4840 3580 Process not Found 103 PID 3404 wrote to memory of 2932 3404 cmd.exe 104 PID 3404 wrote to memory of 2932 3404 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05895a9a51666b349018181c47a225dd.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:5020
-
C:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exeC:\Users\Admin\AppData\Local\W7Nor\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5556
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵PID:4324
-
C:\Users\Admin\AppData\Local\ktWtT\mfpmp.exeC:\Users\Admin\AppData\Local\ktWtT\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exeC:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~2\aJ\mfpmp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932
-
-
C:\Windows\system32\quickassist.exeC:\Windows\system32\quickassist.exe1⤵PID:1556
-
C:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exeC:\Users\Admin\AppData\Local\ypjmI4Lx\quickassist.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4840
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD50d4d78dfacafb264d82ae485dd56b20c
SHA1b3b28d2e791c4fa8af3ac08674be84785ff112ef
SHA25666b93b38822ea2f28bbe8556c3aabdc93973726a0e9cddbe56f464353b240cc9
SHA512d7aff5e9a95e6ce09fded4b97d475a3f0be909330d94b06fe4cbe773041e6244b52594d96da02903a3c1bef0032cbabf1366e0b2a55a9fa5f70b11718ffef213
-
Filesize
107KB
MD532c31f06e0b68f349f68afdd08e45f3d
SHA1e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26
-
Filesize
1.8MB
MD5d655a5e31aeaccada4d7a6a880d83ea7
SHA1ffcbfc13b868b5407ff528c02e6744465b34376a
SHA2560b6179fe70e2bc3f68f053ea55b73bebdd80b540574318e7ed68d283773b0da6
SHA51218c08be2c0a371dbfdb458c5eae9bbc02db08983406b83c22391ab4fe963f47ee675d150c4a549c1c80d21e4343eeebf6eb4dab07685a7804a664866b24401dc
-
Filesize
46KB
MD58f8fd1988973bac0c5244431473b96a5
SHA1ce81ea37260d7cafe27612606cf044921ad1304c
SHA25627287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab
-
Filesize
1.8MB
MD5b0dcced8ccd7b7d0cbbf295ac8397e84
SHA1dde1ca34bc74005b69903062671d81df7f2ba445
SHA256a23f6fedb648a5e503545932233ff6afa0190751805e11df01970a502b9f6522
SHA5129e054a2e313ea8d17d0c812847c0196e840715929d331ae01db9033f89c1ccaaf40be6124592768de89e9452c4b9d00b673340eeb5e803888ce53607dd350b43
-
Filesize
665KB
MD5d1216f9b9a64fd943539cc2b0ddfa439
SHA16fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567
-
Filesize
1KB
MD5d4dda46d1ee76c8d8a4b883bdeb42621
SHA1a7c394025d060fa428c708fe0e9b1256ed92cd73
SHA25668b5a9956205a5826e8caead6de7ae4d1422a03364ae7c90c9e9f08ae5da678b
SHA5125b3eae5e6645412da0173a35bb2c19b04f44006447a3a6be76fb5b42e18b7523fa5ed3fdaae78fffe839c6a06fd7b4ccc9304462ec44bb22d05138a564cd7f5a