Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/05/2025, 07:52

General

  • Target

    JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll

  • Size

    1.9MB

  • MD5

    06effa778a2a805203c4af335d725d2b

  • SHA1

    4e41f99864618fb2b8b3342b67cbfd448dbf6b9e

  • SHA256

    b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9

  • SHA512

    8c8a3a5b53c506af885bddb827f06712383c062b71b9acb99845a3113488ffd7749a7681ae72ea19785940b40ce9610e0b48c2de16b9085121c12fee0167203f

  • SSDEEP

    12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3068
  • C:\Windows\system32\LicensingUI.exe
    C:\Windows\system32\LicensingUI.exe
    1⤵
      PID:4484
    • C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe
      C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:584
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:2176
      • C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe
        C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2188
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:724
        • C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe
          C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:6076
      • C:\Windows\system32\CloudNotifications.exe
        C:\Windows\system32\CloudNotifications.exe
        1⤵
          PID:5504
        • C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe
          C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4384

        Network

              MITRE ATT&CK Enterprise v16

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\9jnHFP2Lj\TAPI32.dll

                Filesize

                1.9MB

                MD5

                8d4d9eb8fcdc81afac7220b2f3a8d964

                SHA1

                ba6ce569bdbbdf204d02f51c633fda69229748b4

                SHA256

                3cdf886cff7cb150c588da20966b76a138341423bef3726fa94d9d3c79ff2a35

                SHA512

                47ff448da211453387ba8c1cbef9a1bcb5d8df1e97cfc0f01e1ec5a246a23e0f78b66af310aadd19b03fbcda22001dbffe97da897b83e6898113c2697116e579

              • C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe

                Filesize

                36KB

                MD5

                03c7803a618a385a21ca632c792d8972

                SHA1

                8b3f67a6e8ca7412487b02b5872d72fb055575f6

                SHA256

                b192c79cb20ac634178f1ee45bb89b851f936601a4fc0b30241693e7135b73dc

                SHA512

                9ad56d3d3305ef7db45630e9ff779cedfd17b80e29f91ab056717596a55bb59e968326cc0294543afc490e55a21e2212811ec3b9d54c999d1f57ea07a876908f

              • C:\Users\Admin\AppData\Local\KGgFOe2\DUI70.dll

                Filesize

                2.2MB

                MD5

                0058fe61f0b0bbfbc252b792d6902ab9

                SHA1

                cef8220e9e6f239d2c1ff980fe45f66e86ab1af9

                SHA256

                8525fe3fc67ff721e151405c148466e95ff5920fa79846fd75665d3cf80236c6

                SHA512

                4e5a61be3faf8a937b04af96040b83b1b781277174c4ccc9a1ac2123f9a268d4dfa25792043e9fdc6bd5d885a8b87f0a8d4ff97b61196854588ddce0531c47af

              • C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe

                Filesize

                161KB

                MD5

                6cf5323f1acbeeaddb54389ffeadce84

                SHA1

                c39bfdb73a0bf5a31c8e0d0d49aebf3e57bb223c

                SHA256

                0ac952f86c1483b33f94ad1d4fc1fb0cc23e1fe3e36869a7c3bffbc924c4b6e3

                SHA512

                b8994318867032dc85d75b345792baf0beb2a354b1ab399e9e48af3d7c8abbee9d19d8024e5807cf1f4f7f825ac221aeebe6ad7c858bd0614c6bdc59299b1500

              • C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe

                Filesize

                81KB

                MD5

                994b7de0dc2fa74a629825849149689c

                SHA1

                b5cffc4428577748efce8acdfba5d6540864e081

                SHA256

                574257f2ab4dc9fb7fd62ad21fd3f011e03666099f55670363f7c83b9e099fc6

                SHA512

                be7afc1d122eb077000d877dee2ec1e264122867374821a5d14f16f3f9335f930319c255cc431650a4219c57b2b6b667d33f6d0cfa7433c2d6a6dce4f16261c2

              • C:\Users\Admin\AppData\Local\cvnSB2\UxTheme.dll

                Filesize

                1.9MB

                MD5

                3d869ca5fab4117653cd6928565ce375

                SHA1

                80b38c9ec8eea1898e9e204c534fab30e1c40eb9

                SHA256

                032cbf10aca28fb9bbc3be5712715578d939dd1e637ce6a9a9f2d205dcb31d91

                SHA512

                592a75062b6ffcf8f823c7a530e0e0056f31954359692186266bb7b288dded718e61883a7e8bae14487607a603d8e40030095c4ff882c6f7ebb1f178c9d3828b

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Devrec.lnk

                Filesize

                1KB

                MD5

                a8ab7ebbf5b7f6ca7b0c65a549f163d9

                SHA1

                a77ab0794ef01f880e65734a673e9c145fa862e6

                SHA256

                3d63723ffc285058d96ed7adb77c4f01279d1c64decd8823fb7080befabea87e

                SHA512

                d54455fed8832ba8879663889ab9bcf90a8383a0b8b9011f67d4323a3c901fb856f5ae014986f93838aea8a297773eeec2c6a55f03d240a28995821210370918

              • memory/584-95-0x000001E770DB0000-0x000001E770DB7000-memory.dmp

                Filesize

                28KB

              • memory/2188-112-0x0000014DEE050000-0x0000014DEE057000-memory.dmp

                Filesize

                28KB

              • memory/3068-0-0x0000013F0CB70000-0x0000013F0CB77000-memory.dmp

                Filesize

                28KB

              • memory/3068-1-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3068-13-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-29-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-22-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-87-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

                Filesize

                28KB

              • memory/3248-31-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-66-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-64-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-63-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-62-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-61-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-56-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-55-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-54-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-53-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-52-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-51-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-47-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-41-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-40-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-39-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-38-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-37-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-36-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-35-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-30-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-65-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-28-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-27-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-23-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-24-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-88-0x00007FF872530000-0x00007FF872540000-memory.dmp

                Filesize

                64KB

              • memory/3248-20-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-19-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-18-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-16-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-15-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-14-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-12-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-10-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-11-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-60-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-59-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-57-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-50-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-48-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-49-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-46-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-44-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-42-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-32-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-33-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-58-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-7-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-25-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-26-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-21-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-17-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-9-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-8-0x0000000140000000-0x00000001401EC000-memory.dmp

                Filesize

                1.9MB

              • memory/3248-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

                Filesize

                4KB

              • memory/3248-4-0x00007FF871EB7000-0x00007FF871EB8000-memory.dmp

                Filesize

                4KB