Malware Analysis Report

2025-05-28 17:25

Sample ID 250518-gzaqnsep3s
Target JaffaCakes118_06832430a245282f26c426e18fe8adf3
SHA256 5a815cafd7eee857ea1d7c83212730bb1a98bdfbac3d7e841beaa58445d80fdf
Tags
dridex botnet defense_evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a815cafd7eee857ea1d7c83212730bb1a98bdfbac3d7e841beaa58445d80fdf

Threat Level: Known bad

The file JaffaCakes118_06832430a245282f26c426e18fe8adf3 was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence trojan

Dridex

Dridex family

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 06:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 06:14

Reported

2025-05-18 06:16

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06832430a245282f26c426e18fe8adf3.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qbiudqgjxnqjgk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HEnaUBtToVC\\RdpSa.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 1220 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3464 wrote to memory of 1220 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3464 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exe
PID 3464 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exe
PID 3464 wrote to memory of 4344 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3464 wrote to memory of 4344 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3464 wrote to memory of 5056 N/A N/A C:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exe
PID 3464 wrote to memory of 5056 N/A N/A C:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exe
PID 3464 wrote to memory of 4116 N/A N/A C:\Windows\system32\cmd.exe
PID 3464 wrote to memory of 4116 N/A N/A C:\Windows\system32\cmd.exe
PID 3464 wrote to memory of 1156 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3464 wrote to memory of 1156 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3464 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exe
PID 3464 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exe
PID 4116 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe
PID 4116 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06832430a245282f26c426e18fe8adf3.dll,#1

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

C:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exe

C:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exe

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

C:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exe

C:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HEnaUBtToVC\RdpSa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

memory/3500-1-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3500-3-0x000001A2F44E0000-0x000001A2F44E7000-memory.dmp

memory/3464-6-0x00007FFAD472A000-0x00007FFAD472B000-memory.dmp

memory/3464-4-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/3464-16-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-25-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-65-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-90-0x00007FFAD5680000-0x00007FFAD5690000-memory.dmp

memory/3060-99-0x000001DCE40E0000-0x000001DCE40E7000-memory.dmp

C:\Users\Admin\AppData\Local\5Bw8YrpmE\DUser.dll

MD5 82c69dba4addd292be17e717f6b01a4c
SHA1 452ce70fce271ac7dc12bd1ae6cb8f24a518aa8d
SHA256 7a89577d859e82fa3e9b7749668f0cfb8e37a9c5abe84c2ecd50e73681ace96f
SHA512 eb45f1e4c9c4449cad6375f348be186f5fc634cd256799900b73cbd94ddff7116082830b5f69561cd07b3056021f780327bce223b1a6366734403346e19daf4c

C:\Users\Admin\AppData\Local\5Bw8YrpmE\sessionmsg.exe

MD5 480f710806b68dfe478ca1ec7d7e79cc
SHA1 b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA256 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA512 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

memory/3464-89-0x0000000002F40000-0x0000000002F47000-memory.dmp

memory/3464-64-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-63-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-61-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-60-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-59-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-58-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-56-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-54-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-53-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-52-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-51-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-50-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-49-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-48-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-47-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-46-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-45-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-44-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-43-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-40-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-39-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-38-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-37-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-36-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-34-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-33-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-32-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-31-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-30-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-27-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-26-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-24-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-23-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-22-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-21-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-62-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-19-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-20-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-18-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-17-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-57-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-55-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-14-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-13-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-12-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-11-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-42-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-41-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-10-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3500-9-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-35-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-28-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-29-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-15-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-8-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3464-7-0x0000000140000000-0x000000014021B000-memory.dmp

C:\Users\Admin\AppData\Local\8VguxgNS6\RdpSa.exe

MD5 5992f5b5d0b296b83877da15b54dd1b4
SHA1 0d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA256 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA512 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

C:\Users\Admin\AppData\Local\8VguxgNS6\WINSTA.dll

MD5 d25ca7e4707a0269513ee3111771e9e0
SHA1 dcb4bd0117fac421ae1a9f98bd42b538da694f2f
SHA256 53413edab211302dad06cc323b85e0d6192f9ac61efef136ff9510639233aa42
SHA512 8341621bfed053a1775b9ab780a9ab885c004bd20782daf04661ebdfed44945e30c160f1cbee79c915653010fdb11ba15af238a8745f78a2b7a00c30a4a19aca

memory/5056-114-0x00000159447D0000-0x00000159447D7000-memory.dmp

C:\Users\Admin\AppData\Local\6C6dPJI\dxgiadaptercache.exe

MD5 e62f89130b7253f7780a862ed9aff294
SHA1 b031e64a36e93f95f2061be5b0383069efac2070
SHA256 4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5
SHA512 05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

C:\Users\Admin\AppData\Local\6C6dPJI\dxgi.dll

MD5 93e5746a312d3946a13caf4433d4d552
SHA1 5e008fab0d5d422d1f60a6c600b63492d5076677
SHA256 bea3becafb607750a22da157604921fde2db5d563dc12650eaad1277a89ea368
SHA512 b04857f5381a68e72aaae662a9404da36855a9af8bc63a7532b28abb8d24028a8ba8f2b55df8e5f79b05ac642113a3545a19c0deaced725fec5a7173c0fbef22

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Blvbmxtedwvmqje.lnk

MD5 2bb6bd3e310b1bc39cf313266c8cfe76
SHA1 db936983df668bf0286987e40c477cf0cb715323
SHA256 21de56ae32451ba796ba108c4d11b143da88076f59067c5e614c8be50b00057a
SHA512 889cdf32c55d07f372cafe9bec5b81adba60595f04f3b32d5967bf396c9342a85c5dcf92ff4000de2b0a2dd1fc441c4435bfc30ab95d38b75ce69e71e7258ef5