Analysis

  • max time kernel
    145s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/05/2025, 10:28

General

  • Target

    JaffaCakes118_05895a9a51666b349018181c47a225dd.dll

  • Size

    1.8MB

  • MD5

    05895a9a51666b349018181c47a225dd

  • SHA1

    b668dcf35e678feb89d80132bd2caed305b00c4d

  • SHA256

    7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a

  • SHA512

    1fedf71e9ea9a6257bf1c8098e38b2043d9f52f21d06861166eeb626302833c4c58509c720b65d50a27a9db838cd0ffea05b81d5546f5ca787b81fc240a6f73a

  • SSDEEP

    12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1icN:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnbb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05895a9a51666b349018181c47a225dd.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:408
  • C:\Windows\system32\wusa.exe
    C:\Windows\system32\wusa.exe
    1⤵
      PID:4476
    • C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe
      C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:456
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:3720
      • C:\Users\Admin\AppData\Local\TuB5\msra.exe
        C:\Users\Admin\AppData\Local\TuB5\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3768
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4920
      • C:\Windows\system32\MusNotificationUx.exe
        C:\Windows\system32\MusNotificationUx.exe
        1⤵
          PID:3440
        • C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe
          C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe
          1⤵
          • Executes dropped EXE
          PID:4856

        Network

              MITRE ATT&CK Enterprise v16

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe

                Filesize

                552KB

                MD5

                3a7a37e56522dd8c1fba1e29c2e07310

                SHA1

                7f20d25cc7e75cf7f2eaaebe4c325a9f6f356a5a

                SHA256

                8bf9d26a4bdc399ea5430d4e09f1bd4c5a1c3f2fe2672c510de6611554809b34

                SHA512

                65340cf36a072a56c43a6da8a1aa560f89fc907a3b18b4f8c13b84beb9c1bff53247ace2aa3f7d9fc640c086119741d573ee6a3f6805e334ae26021627132de7

              • C:\Users\Admin\AppData\Local\3v5zp\XmlLite.dll

                Filesize

                1.8MB

                MD5

                466a2b040952a64fa99b57d9c564c9bf

                SHA1

                5ec5436d6937315d0216b71924af1b0a8205c976

                SHA256

                5e541795221359fcc7c94d0ee9c6316e45ec50604691e42227055802492542a1

                SHA512

                b79db31c906c8f91e0e3f8103e4e7730a2adf269ea965b9ac563bda8130050beac62ff3705f2dc167f66ff15f2dfd3f05126d6d21c0930eae367e247f0d00b21

              • C:\Users\Admin\AppData\Local\TuB5\UxTheme.dll

                Filesize

                1.8MB

                MD5

                ad5159299c26d1b247a381c168506623

                SHA1

                8c3dcab3228068259eba6f77677d71c70f0d4985

                SHA256

                7319df49fe6bda1fdb251dc86e86fc8282efbf34dd51507b45571a0c5ad16904

                SHA512

                d787bb21c35a82f51a60cfac42b814e1cad2c36d9c05f3a3bc658c01c03458ae7dd14f52021e48f98b341de1546f3f993bff4334b74f20e350e65874d2a761aa

              • C:\Users\Admin\AppData\Local\qpz6Cm\WTSAPI32.dll

                Filesize

                1.8MB

                MD5

                9e432185c3554d8c9bb2ad5cf6e7f369

                SHA1

                c8bad84edbaced02a312fc681e9b24d566c01156

                SHA256

                1df0350169a64c9e93263f9aea3d55527ce9148bdc6778f4780d02b49be2256f

                SHA512

                b72ca31b68a135ce9e24213bd750d1b5acea04c1ec82da1b874beae18833005b44b87fdbc08388e89c22f16d641c9abd58ca57464578eb33dd1dbf07e7547f05

              • C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe

                Filesize

                184KB

                MD5

                297ce1cb7c6ce8ef6f5655ec78e4c667

                SHA1

                986422155a1509a0ee0dfe8098623f1158ad69c5

                SHA256

                50af95b82a9fc4f25b5443b2582bc76ef8fdd64792bb8da9b64ec7312da37452

                SHA512

                2e436801f2f64e816b0f4b80dbe60d350c1d48956d059e55a25c8d1d66311cbd6b59ed1deeec2524c6dedb7efc97ceca5e061f70be06fa7e4872cfa8079519cb

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bmwfmsvcld.lnk

                Filesize

                1KB

                MD5

                2955cb4725d774954c60faf6d042c3d5

                SHA1

                dd3bd2949f6b8b20558db2a3a5135bb99041a9c5

                SHA256

                a5bfebabd4f2a071d3623b508ad8d88fe80d8756c4150521222792812180bfe5

                SHA512

                a70a16a487a160eb33ad8324c95eacb82c3d9109eb8019c5885444f402bbc5dd19d7124d3daef19db3a713f6bda6a6c0004ba1a8d5d0a9e87267fed5a98b92b7

              • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe

                Filesize

                624KB

                MD5

                e401bb7f426a3a20c992dd8912ed0e62

                SHA1

                64ec59c88afe708b20e9df4349dee59ca217ee78

                SHA256

                5ad43163063b6caa94102c480f3738848565e72898c021968ec29d53ae133df6

                SHA512

                1cb68867ba3572341d72cc15c0bff2ddd561f16b5e92b90d6ee6459341f87bda357fa7c997f48fad9ef29e88c1eb3ccd5d7f9796155ff802236f3bde0c3b1793

              • memory/408-0-0x00000000012C0000-0x00000000012C7000-memory.dmp

                Filesize

                28KB

              • memory/408-2-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/408-37-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/456-79-0x0000000140000000-0x00000001401C7000-memory.dmp

                Filesize

                1.8MB

              • memory/456-73-0x0000000140000000-0x00000001401C7000-memory.dmp

                Filesize

                1.8MB

              • memory/456-78-0x000001DF610D0000-0x000001DF610D7000-memory.dmp

                Filesize

                28KB

              • memory/3176-41-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-21-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-60-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-51-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-44-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-35-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-34-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-33-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-32-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-26-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-23-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-24-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-29-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-31-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-42-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-65-0x0000000003200000-0x0000000003207000-memory.dmp

                Filesize

                28KB

              • memory/3176-4-0x0000000003220000-0x0000000003221000-memory.dmp

                Filesize

                4KB

              • memory/3176-8-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-101-0x0000000001180000-0x0000000001181000-memory.dmp

                Filesize

                4KB

              • memory/3176-66-0x00007FF96C0D0000-0x00007FF96C0E0000-memory.dmp

                Filesize

                64KB

              • memory/3176-43-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-9-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-22-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-62-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-20-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-19-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-14-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-13-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-12-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-11-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-10-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-39-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-6-0x00007FF96BC57000-0x00007FF96BC58000-memory.dmp

                Filesize

                4KB

              • memory/3176-40-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-38-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-36-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-30-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-27-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-28-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-25-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-7-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-18-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-17-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-15-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3176-16-0x0000000140000000-0x00000001401C6000-memory.dmp

                Filesize

                1.8MB

              • memory/3768-96-0x0000000140000000-0x00000001401C7000-memory.dmp

                Filesize

                1.8MB

              • memory/3768-95-0x00000180E6B60000-0x00000180E6B67000-memory.dmp

                Filesize

                28KB