Analysis
-
max time kernel
145s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/05/2025, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_05895a9a51666b349018181c47a225dd.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_05895a9a51666b349018181c47a225dd.dll
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_05895a9a51666b349018181c47a225dd.dll
-
Size
1.8MB
-
MD5
05895a9a51666b349018181c47a225dd
-
SHA1
b668dcf35e678feb89d80132bd2caed305b00c4d
-
SHA256
7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a
-
SHA512
1fedf71e9ea9a6257bf1c8098e38b2043d9f52f21d06861166eeb626302833c4c58509c720b65d50a27a9db838cd0ffea05b81d5546f5ca787b81fc240a6f73a
-
SSDEEP
12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1icN:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnbb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/3176-4-0x0000000003220000-0x0000000003221000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 456 wusa.exe 3768 msra.exe 4920 msra.exe 4856 MusNotificationUx.exe -
Loads dropped DLL 3 IoCs
pid Process 456 wusa.exe 3768 msra.exe 4920 msra.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hmgiyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\pK2hnxVf\\msra.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 408 regsvr32.exe 408 regsvr32.exe 408 regsvr32.exe 408 regsvr32.exe 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3176 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3176 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3176 wrote to memory of 4476 3176 Process not Found 83 PID 3176 wrote to memory of 4476 3176 Process not Found 83 PID 3176 wrote to memory of 456 3176 Process not Found 84 PID 3176 wrote to memory of 456 3176 Process not Found 84 PID 3176 wrote to memory of 3720 3176 Process not Found 85 PID 3176 wrote to memory of 3720 3176 Process not Found 85 PID 3176 wrote to memory of 3768 3176 Process not Found 86 PID 3176 wrote to memory of 3768 3176 Process not Found 86 PID 3176 wrote to memory of 4768 3176 Process not Found 87 PID 3176 wrote to memory of 4768 3176 Process not Found 87 PID 3176 wrote to memory of 3440 3176 Process not Found 89 PID 3176 wrote to memory of 3440 3176 Process not Found 89 PID 4768 wrote to memory of 4920 4768 cmd.exe 90 PID 4768 wrote to memory of 4920 4768 cmd.exe 90 PID 3176 wrote to memory of 4856 3176 Process not Found 91 PID 3176 wrote to memory of 4856 3176 Process not Found 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05895a9a51666b349018181c47a225dd.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:408
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:4476
-
C:\Users\Admin\AppData\Local\qpz6Cm\wusa.exeC:\Users\Admin\AppData\Local\qpz6Cm\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:456
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:3720
-
C:\Users\Admin\AppData\Local\TuB5\msra.exeC:\Users\Admin\AppData\Local\TuB5\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exeC:\Users\Admin\AppData\Roaming\Microsoft\Crypto\pK2hnxVf\msra.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4920
-
-
C:\Windows\system32\MusNotificationUx.exeC:\Windows\system32\MusNotificationUx.exe1⤵PID:3440
-
C:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exeC:\Users\Admin\AppData\Local\3v5zp\MusNotificationUx.exe1⤵
- Executes dropped EXE
PID:4856
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
552KB
MD53a7a37e56522dd8c1fba1e29c2e07310
SHA17f20d25cc7e75cf7f2eaaebe4c325a9f6f356a5a
SHA2568bf9d26a4bdc399ea5430d4e09f1bd4c5a1c3f2fe2672c510de6611554809b34
SHA51265340cf36a072a56c43a6da8a1aa560f89fc907a3b18b4f8c13b84beb9c1bff53247ace2aa3f7d9fc640c086119741d573ee6a3f6805e334ae26021627132de7
-
Filesize
1.8MB
MD5466a2b040952a64fa99b57d9c564c9bf
SHA15ec5436d6937315d0216b71924af1b0a8205c976
SHA2565e541795221359fcc7c94d0ee9c6316e45ec50604691e42227055802492542a1
SHA512b79db31c906c8f91e0e3f8103e4e7730a2adf269ea965b9ac563bda8130050beac62ff3705f2dc167f66ff15f2dfd3f05126d6d21c0930eae367e247f0d00b21
-
Filesize
1.8MB
MD5ad5159299c26d1b247a381c168506623
SHA18c3dcab3228068259eba6f77677d71c70f0d4985
SHA2567319df49fe6bda1fdb251dc86e86fc8282efbf34dd51507b45571a0c5ad16904
SHA512d787bb21c35a82f51a60cfac42b814e1cad2c36d9c05f3a3bc658c01c03458ae7dd14f52021e48f98b341de1546f3f993bff4334b74f20e350e65874d2a761aa
-
Filesize
1.8MB
MD59e432185c3554d8c9bb2ad5cf6e7f369
SHA1c8bad84edbaced02a312fc681e9b24d566c01156
SHA2561df0350169a64c9e93263f9aea3d55527ce9148bdc6778f4780d02b49be2256f
SHA512b72ca31b68a135ce9e24213bd750d1b5acea04c1ec82da1b874beae18833005b44b87fdbc08388e89c22f16d641c9abd58ca57464578eb33dd1dbf07e7547f05
-
Filesize
184KB
MD5297ce1cb7c6ce8ef6f5655ec78e4c667
SHA1986422155a1509a0ee0dfe8098623f1158ad69c5
SHA25650af95b82a9fc4f25b5443b2582bc76ef8fdd64792bb8da9b64ec7312da37452
SHA5122e436801f2f64e816b0f4b80dbe60d350c1d48956d059e55a25c8d1d66311cbd6b59ed1deeec2524c6dedb7efc97ceca5e061f70be06fa7e4872cfa8079519cb
-
Filesize
1KB
MD52955cb4725d774954c60faf6d042c3d5
SHA1dd3bd2949f6b8b20558db2a3a5135bb99041a9c5
SHA256a5bfebabd4f2a071d3623b508ad8d88fe80d8756c4150521222792812180bfe5
SHA512a70a16a487a160eb33ad8324c95eacb82c3d9109eb8019c5885444f402bbc5dd19d7124d3daef19db3a713f6bda6a6c0004ba1a8d5d0a9e87267fed5a98b92b7
-
Filesize
624KB
MD5e401bb7f426a3a20c992dd8912ed0e62
SHA164ec59c88afe708b20e9df4349dee59ca217ee78
SHA2565ad43163063b6caa94102c480f3738848565e72898c021968ec29d53ae133df6
SHA5121cb68867ba3572341d72cc15c0bff2ddd561f16b5e92b90d6ee6459341f87bda357fa7c997f48fad9ef29e88c1eb3ccd5d7f9796155ff802236f3bde0c3b1793