Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/05/2025, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll
-
Size
1.9MB
-
MD5
06effa778a2a805203c4af335d725d2b
-
SHA1
4e41f99864618fb2b8b3342b67cbfd448dbf6b9e
-
SHA256
b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9
-
SHA512
8c8a3a5b53c506af885bddb827f06712383c062b71b9acb99845a3113488ffd7749a7681ae72ea19785940b40ce9610e0b48c2de16b9085121c12fee0167203f
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/3248-5-0x0000000002B10000-0x0000000002B11000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 584 LicensingUI.exe 2188 tcmsetup.exe 4384 CloudNotifications.exe 6076 tcmsetup.exe -
Loads dropped DLL 4 IoCs
pid Process 584 LicensingUI.exe 2188 tcmsetup.exe 4384 CloudNotifications.exe 6076 tcmsetup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wfsmcetjkwodll = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\SMARTA~1\\EtIxCbTf\\tcmsetup.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LicensingUI.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CloudNotifications.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcmsetup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3248 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3248 wrote to memory of 4484 3248 Process not Found 83 PID 3248 wrote to memory of 4484 3248 Process not Found 83 PID 3248 wrote to memory of 584 3248 Process not Found 84 PID 3248 wrote to memory of 584 3248 Process not Found 84 PID 3248 wrote to memory of 2176 3248 Process not Found 85 PID 3248 wrote to memory of 2176 3248 Process not Found 85 PID 3248 wrote to memory of 2188 3248 Process not Found 86 PID 3248 wrote to memory of 2188 3248 Process not Found 86 PID 3248 wrote to memory of 724 3248 Process not Found 87 PID 3248 wrote to memory of 724 3248 Process not Found 87 PID 3248 wrote to memory of 5504 3248 Process not Found 89 PID 3248 wrote to memory of 5504 3248 Process not Found 89 PID 3248 wrote to memory of 4384 3248 Process not Found 90 PID 3248 wrote to memory of 4384 3248 Process not Found 90 PID 724 wrote to memory of 6076 724 cmd.exe 91 PID 724 wrote to memory of 6076 724 cmd.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3068
-
C:\Windows\system32\LicensingUI.exeC:\Windows\system32\LicensingUI.exe1⤵PID:4484
-
C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exeC:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:584
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exeC:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe1⤵
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exeC:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:6076
-
-
C:\Windows\system32\CloudNotifications.exeC:\Windows\system32\CloudNotifications.exe1⤵PID:5504
-
C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exeC:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4384
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD58d4d9eb8fcdc81afac7220b2f3a8d964
SHA1ba6ce569bdbbdf204d02f51c633fda69229748b4
SHA2563cdf886cff7cb150c588da20966b76a138341423bef3726fa94d9d3c79ff2a35
SHA51247ff448da211453387ba8c1cbef9a1bcb5d8df1e97cfc0f01e1ec5a246a23e0f78b66af310aadd19b03fbcda22001dbffe97da897b83e6898113c2697116e579
-
Filesize
36KB
MD503c7803a618a385a21ca632c792d8972
SHA18b3f67a6e8ca7412487b02b5872d72fb055575f6
SHA256b192c79cb20ac634178f1ee45bb89b851f936601a4fc0b30241693e7135b73dc
SHA5129ad56d3d3305ef7db45630e9ff779cedfd17b80e29f91ab056717596a55bb59e968326cc0294543afc490e55a21e2212811ec3b9d54c999d1f57ea07a876908f
-
Filesize
2.2MB
MD50058fe61f0b0bbfbc252b792d6902ab9
SHA1cef8220e9e6f239d2c1ff980fe45f66e86ab1af9
SHA2568525fe3fc67ff721e151405c148466e95ff5920fa79846fd75665d3cf80236c6
SHA5124e5a61be3faf8a937b04af96040b83b1b781277174c4ccc9a1ac2123f9a268d4dfa25792043e9fdc6bd5d885a8b87f0a8d4ff97b61196854588ddce0531c47af
-
Filesize
161KB
MD56cf5323f1acbeeaddb54389ffeadce84
SHA1c39bfdb73a0bf5a31c8e0d0d49aebf3e57bb223c
SHA2560ac952f86c1483b33f94ad1d4fc1fb0cc23e1fe3e36869a7c3bffbc924c4b6e3
SHA512b8994318867032dc85d75b345792baf0beb2a354b1ab399e9e48af3d7c8abbee9d19d8024e5807cf1f4f7f825ac221aeebe6ad7c858bd0614c6bdc59299b1500
-
Filesize
81KB
MD5994b7de0dc2fa74a629825849149689c
SHA1b5cffc4428577748efce8acdfba5d6540864e081
SHA256574257f2ab4dc9fb7fd62ad21fd3f011e03666099f55670363f7c83b9e099fc6
SHA512be7afc1d122eb077000d877dee2ec1e264122867374821a5d14f16f3f9335f930319c255cc431650a4219c57b2b6b667d33f6d0cfa7433c2d6a6dce4f16261c2
-
Filesize
1.9MB
MD53d869ca5fab4117653cd6928565ce375
SHA180b38c9ec8eea1898e9e204c534fab30e1c40eb9
SHA256032cbf10aca28fb9bbc3be5712715578d939dd1e637ce6a9a9f2d205dcb31d91
SHA512592a75062b6ffcf8f823c7a530e0e0056f31954359692186266bb7b288dded718e61883a7e8bae14487607a603d8e40030095c4ff882c6f7ebb1f178c9d3828b
-
Filesize
1KB
MD5a8ab7ebbf5b7f6ca7b0c65a549f163d9
SHA1a77ab0794ef01f880e65734a673e9c145fa862e6
SHA2563d63723ffc285058d96ed7adb77c4f01279d1c64decd8823fb7080befabea87e
SHA512d54455fed8832ba8879663889ab9bcf90a8383a0b8b9011f67d4323a3c901fb856f5ae014986f93838aea8a297773eeec2c6a55f03d240a28995821210370918