Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll
-
Size
1.9MB
-
MD5
06effa778a2a805203c4af335d725d2b
-
SHA1
4e41f99864618fb2b8b3342b67cbfd448dbf6b9e
-
SHA256
b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9
-
SHA512
8c8a3a5b53c506af885bddb827f06712383c062b71b9acb99845a3113488ffd7749a7681ae72ea19785940b40ce9610e0b48c2de16b9085121c12fee0167203f
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3548-4-0x0000000000790000-0x0000000000791000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 5060 msdt.exe 5812 bdeunlock.exe 2060 bdeunlock.exe 1852 osk.exe -
Loads dropped DLL 4 IoCs
pid Process 5060 msdt.exe 5812 bdeunlock.exe 2060 bdeunlock.exe 1852 osk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oumwobogo = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\nOLIeNfb\\BDEUNL~1.EXE" Process not Found -
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdeunlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdeunlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA osk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msdt.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5564 rundll32.exe 5564 rundll32.exe 5564 rundll32.exe 5564 rundll32.exe 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found 3548 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3548 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3548 Process not Found Token: SeCreatePagefilePrivilege 3548 Process not Found Token: SeShutdownPrivilege 3548 Process not Found Token: SeCreatePagefilePrivilege 3548 Process not Found Token: SeShutdownPrivilege 3548 Process not Found Token: SeCreatePagefilePrivilege 3548 Process not Found Token: SeShutdownPrivilege 3548 Process not Found Token: SeCreatePagefilePrivilege 3548 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3548 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3548 wrote to memory of 5044 3548 Process not Found 93 PID 3548 wrote to memory of 5044 3548 Process not Found 93 PID 3548 wrote to memory of 5060 3548 Process not Found 94 PID 3548 wrote to memory of 5060 3548 Process not Found 94 PID 3548 wrote to memory of 5248 3548 Process not Found 96 PID 3548 wrote to memory of 5248 3548 Process not Found 96 PID 3548 wrote to memory of 5812 3548 Process not Found 98 PID 3548 wrote to memory of 5812 3548 Process not Found 98 PID 3548 wrote to memory of 1060 3548 Process not Found 99 PID 3548 wrote to memory of 1060 3548 Process not Found 99 PID 3548 wrote to memory of 2808 3548 Process not Found 101 PID 3548 wrote to memory of 2808 3548 Process not Found 101 PID 1060 wrote to memory of 2060 1060 cmd.exe 102 PID 1060 wrote to memory of 2060 1060 cmd.exe 102 PID 3548 wrote to memory of 1852 3548 Process not Found 103 PID 3548 wrote to memory of 1852 3548 Process not Found 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5564
-
C:\Windows\system32\msdt.exeC:\Windows\system32\msdt.exe1⤵PID:5044
-
C:\Users\Admin\AppData\Local\F46M28j\msdt.exeC:\Users\Admin\AppData\Local\F46M28j\msdt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5060
-
C:\Windows\system32\bdeunlock.exeC:\Windows\system32\bdeunlock.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\44HQw\bdeunlock.exeC:\Users\Admin\AppData\Local\44HQw\bdeunlock.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\BDEUNL~1.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\bdeunlock.exeC:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\BDEUNL~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2060
-
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\d5V\osk.exeC:\Users\Admin\AppData\Local\d5V\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1852
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD516ae9ea4440f4679db776b5a9c469fde
SHA19adb65acd5c29c094a6532bd580274d462895659
SHA2561eb208c5cee20423071f1d60a288096e4fecfc6fe4495caa6b975a59f6b61dc0
SHA512b2e778bfd82716733ce421fafb9c0f6853267229714696d8974ebe0ebe6047c51488ee900ac23b7e41f977191cfc1786684bd26edd85c8b91f2f58d29203dcb1
-
Filesize
279KB
MD5fef5d67150c249db3c1f4b30a2a5a22e
SHA141ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA5124ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7
-
Filesize
1.9MB
MD5971630f31fae1f3df254887c7d21a1dc
SHA11d0d1858094893f66bcb354ce826f9182bef7f21
SHA25605831e2d3ef3a6fdebe9b533a6196e7f319f36ec985e7133cb1d5e1015e40319
SHA5121fc9df0e60f010163832616438898a21a6e9a534ac3df112b48d3ebc0651a3315beef99e5c81f31ea397bb02c3e8b8ce1d9fa74a1deb4f4d5c8e8ebef5f3d9ad
-
Filesize
421KB
MD5992c3f0cc8180f2f51156671e027ae75
SHA1942ec8c2ccfcacd75a1cd86cbe8873aee5115e29
SHA2566859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f
SHA5121f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf
-
Filesize
2.2MB
MD5bc99ee3d529d0e63b2718f83781ffd90
SHA1a1d8480e3c5e67fa62e9dd48756aea03c6529fdd
SHA256c0de93766c3f4fdc78db6ba77d713f81d7bc0eaf6719afec7fd83caf999ac6cb
SHA512e2cc8618998cae69c4562df014fe5b085792625c6ddf5d44bddbe13173d9d6b79eba3ac689adefc4ad4eac97748e489e4239b7514e65ba5c435b543bf919d4bb
-
Filesize
638KB
MD5745f2df5beed97b8c751df83938cb418
SHA12f9fc33b1bf28e0f14fd75646a7b427ddbe14d25
SHA256f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51
SHA5122125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228
-
Filesize
1KB
MD546f7d7dd933e501c83c22c9012d00f21
SHA1eed5b17666e1f348c19339b9e325232934c58554
SHA256454e89d38c21c31a3b02b553b2294795d8a6ace2ae35277c8b8bcb1c3c7cdae8
SHA512d3ec1ad09a6febb591f41c88a93685456fe313d42e6f1057cdb5cf262b7ecbdeba996ad1dc5be25d1957a39031abb9ad953f10fc12a971c9858669a7503977f5