Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_06832430a245282f26c426e18fe8adf3.dll
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_06832430a245282f26c426e18fe8adf3.dll
-
Size
2.1MB
-
MD5
06832430a245282f26c426e18fe8adf3
-
SHA1
17a79d26577384d3c2471c71b76ba40e99b0acb0
-
SHA256
5a815cafd7eee857ea1d7c83212730bb1a98bdfbac3d7e841beaa58445d80fdf
-
SHA512
8f25d974949ff54f3af823ee33fdc3f50772569edf4b95ac285d8dee3b714b2c5435fcc22cc8b3a9721f83d04ee610a9063f2797fac17831fce82f736ac158ef
-
SSDEEP
12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1g1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnbg1
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3464-4-0x0000000002F60000-0x0000000002F61000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 3060 sessionmsg.exe 5056 RdpSa.exe 4600 dxgiadaptercache.exe 2420 RdpSa.exe -
Loads dropped DLL 4 IoCs
pid Process 3060 sessionmsg.exe 5056 RdpSa.exe 4600 dxgiadaptercache.exe 2420 RdpSa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qbiudqgjxnqjgk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HEnaUBtToVC\\RdpSa.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sessionmsg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RdpSa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dxgiadaptercache.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3500 rundll32.exe 3500 rundll32.exe 3500 rundll32.exe 3500 rundll32.exe 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found 3464 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3464 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found Token: SeShutdownPrivilege 3464 Process not Found Token: SeCreatePagefilePrivilege 3464 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3464 Process not Found 3464 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3464 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3464 wrote to memory of 1220 3464 Process not Found 91 PID 3464 wrote to memory of 1220 3464 Process not Found 91 PID 3464 wrote to memory of 3060 3464 Process not Found 92 PID 3464 wrote to memory of 3060 3464 Process not Found 92 PID 3464 wrote to memory of 4344 3464 Process not Found 95 PID 3464 wrote to memory of 4344 3464 Process not Found 95 PID 3464 wrote to memory of 5056 3464 Process not Found 96 PID 3464 wrote to memory of 5056 3464 Process not Found 96 PID 3464 wrote to memory of 4116 3464 Process not Found 97 PID 3464 wrote to memory of 4116 3464 Process not Found 97 PID 3464 wrote to memory of 1156 3464 Process not Found 99 PID 3464 wrote to memory of 1156 3464 Process not Found 99 PID 3464 wrote to memory of 4600 3464 Process not Found 100 PID 3464 wrote to memory of 4600 3464 Process not Found 100 PID 4116 wrote to memory of 2420 4116 cmd.exe 101 PID 4116 wrote to memory of 2420 4116 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06832430a245282f26c426e18fe8adf3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
C:\Windows\system32\sessionmsg.exeC:\Windows\system32\sessionmsg.exe1⤵PID:1220
-
C:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exeC:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3060
-
C:\Windows\system32\RdpSa.exeC:\Windows\system32\RdpSa.exe1⤵PID:4344
-
C:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exeC:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2420
-
-
C:\Windows\system32\dxgiadaptercache.exeC:\Windows\system32\dxgiadaptercache.exe1⤵PID:1156
-
C:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exeC:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4600
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD582c69dba4addd292be17e717f6b01a4c
SHA1452ce70fce271ac7dc12bd1ae6cb8f24a518aa8d
SHA2567a89577d859e82fa3e9b7749668f0cfb8e37a9c5abe84c2ecd50e73681ace96f
SHA512eb45f1e4c9c4449cad6375f348be186f5fc634cd256799900b73cbd94ddff7116082830b5f69561cd07b3056021f780327bce223b1a6366734403346e19daf4c
-
Filesize
85KB
MD5480f710806b68dfe478ca1ec7d7e79cc
SHA1b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA2562416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA51229d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db
-
Filesize
2.1MB
MD593e5746a312d3946a13caf4433d4d552
SHA15e008fab0d5d422d1f60a6c600b63492d5076677
SHA256bea3becafb607750a22da157604921fde2db5d563dc12650eaad1277a89ea368
SHA512b04857f5381a68e72aaae662a9404da36855a9af8bc63a7532b28abb8d24028a8ba8f2b55df8e5f79b05ac642113a3545a19c0deaced725fec5a7173c0fbef22
-
Filesize
230KB
MD5e62f89130b7253f7780a862ed9aff294
SHA1b031e64a36e93f95f2061be5b0383069efac2070
SHA2564bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5
SHA51205649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7
-
Filesize
56KB
MD55992f5b5d0b296b83877da15b54dd1b4
SHA10d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA25632f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA5124f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6
-
Filesize
2.1MB
MD5d25ca7e4707a0269513ee3111771e9e0
SHA1dcb4bd0117fac421ae1a9f98bd42b538da694f2f
SHA25653413edab211302dad06cc323b85e0d6192f9ac61efef136ff9510639233aa42
SHA5128341621bfed053a1775b9ab780a9ab885c004bd20782daf04661ebdfed44945e30c160f1cbee79c915653010fdb11ba15af238a8745f78a2b7a00c30a4a19aca
-
Filesize
1KB
MD52bb6bd3e310b1bc39cf313266c8cfe76
SHA1db936983df668bf0286987e40c477cf0cb715323
SHA25621de56ae32451ba796ba108c4d11b143da88076f59067c5e614c8be50b00057a
SHA512889cdf32c55d07f372cafe9bec5b81adba60595f04f3b32d5967bf396c9342a85c5dcf92ff4000de2b0a2dd1fc441c4435bfc30ab95d38b75ce69e71e7258ef5