Malware Analysis Report

2025-05-28 17:25

Sample ID 250519-jqjnbsvns7
Target JaffaCakes118_06effa778a2a805203c4af335d725d2b
SHA256 b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9
Tags
dridex botnet defense_evasion payload persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9

Threat Level: Known bad

The file JaffaCakes118_06effa778a2a805203c4af335d725d2b was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence privilege_escalation trojan

Dridex family

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Event Triggered Execution: Accessibility Features

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 07:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 07:52

Reported

2025-05-19 07:54

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oumwobogo = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\nOLIeNfb\\BDEUNL~1.EXE" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\44HQw\bdeunlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\bdeunlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\d5V\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\F46M28j\msdt.exe N/A

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 5044 N/A N/A C:\Windows\system32\msdt.exe
PID 3548 wrote to memory of 5044 N/A N/A C:\Windows\system32\msdt.exe
PID 3548 wrote to memory of 5060 N/A N/A C:\Users\Admin\AppData\Local\F46M28j\msdt.exe
PID 3548 wrote to memory of 5060 N/A N/A C:\Users\Admin\AppData\Local\F46M28j\msdt.exe
PID 3548 wrote to memory of 5248 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3548 wrote to memory of 5248 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3548 wrote to memory of 5812 N/A N/A C:\Users\Admin\AppData\Local\44HQw\bdeunlock.exe
PID 3548 wrote to memory of 5812 N/A N/A C:\Users\Admin\AppData\Local\44HQw\bdeunlock.exe
PID 3548 wrote to memory of 1060 N/A N/A C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1060 N/A N/A C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 2808 N/A N/A C:\Windows\system32\osk.exe
PID 3548 wrote to memory of 2808 N/A N/A C:\Windows\system32\osk.exe
PID 1060 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\bdeunlock.exe
PID 1060 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\bdeunlock.exe
PID 3548 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\d5V\osk.exe
PID 3548 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\d5V\osk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll,#1

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\F46M28j\msdt.exe

C:\Users\Admin\AppData\Local\F46M28j\msdt.exe

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\bdeunlock.exe

C:\Users\Admin\AppData\Local\44HQw\bdeunlock.exe

C:\Users\Admin\AppData\Local\44HQw\bdeunlock.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\BDEUNL~1.EXE

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\bdeunlock.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1\IMPLIC~1\nOLIeNfb\BDEUNL~1.EXE

C:\Users\Admin\AppData\Local\d5V\osk.exe

C:\Users\Admin\AppData\Local\d5V\osk.exe

Network

Country Destination Domain Proto
GB 95.101.63.50:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

memory/5564-1-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/5564-3-0x0000017191AA0000-0x0000017191AA7000-memory.dmp

memory/3548-6-0x00007FFD681AA000-0x00007FFD681AB000-memory.dmp

memory/3548-4-0x0000000000790000-0x0000000000791000-memory.dmp

memory/3548-15-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-54-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/5060-100-0x000001E96A3A0000-0x000001E96A3A7000-memory.dmp

C:\Users\Admin\AppData\Local\F46M28j\UxTheme.dll

MD5 971630f31fae1f3df254887c7d21a1dc
SHA1 1d0d1858094893f66bcb354ce826f9182bef7f21
SHA256 05831e2d3ef3a6fdebe9b533a6196e7f319f36ec985e7133cb1d5e1015e40319
SHA512 1fc9df0e60f010163832616438898a21a6e9a534ac3df112b48d3ebc0651a3315beef99e5c81f31ea397bb02c3e8b8ce1d9fa74a1deb4f4d5c8e8ebef5f3d9ad

C:\Users\Admin\AppData\Local\F46M28j\msdt.exe

MD5 992c3f0cc8180f2f51156671e027ae75
SHA1 942ec8c2ccfcacd75a1cd86cbe8873aee5115e29
SHA256 6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f
SHA512 1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

memory/3548-91-0x00007FFD698E0000-0x00007FFD698F0000-memory.dmp

memory/3548-90-0x0000000000720000-0x0000000000727000-memory.dmp

memory/3548-65-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-64-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-63-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-61-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-60-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-58-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-57-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-56-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-55-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-53-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-52-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-51-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-50-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-49-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-48-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-47-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-46-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-44-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-43-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-36-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-34-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-35-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-33-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-32-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-31-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-30-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-28-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-29-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-25-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-24-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-23-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-22-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-20-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-19-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-18-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-62-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-59-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-16-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-14-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-13-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-45-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/5564-12-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-42-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-11-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-41-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-40-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-39-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-10-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-38-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-37-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-9-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-8-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-7-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-26-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-27-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-21-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3548-17-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Users\Admin\AppData\Local\44HQw\DUI70.dll

MD5 16ae9ea4440f4679db776b5a9c469fde
SHA1 9adb65acd5c29c094a6532bd580274d462895659
SHA256 1eb208c5cee20423071f1d60a288096e4fecfc6fe4495caa6b975a59f6b61dc0
SHA512 b2e778bfd82716733ce421fafb9c0f6853267229714696d8974ebe0ebe6047c51488ee900ac23b7e41f977191cfc1786684bd26edd85c8b91f2f58d29203dcb1

memory/5812-112-0x00000263B42F0000-0x00000263B42F7000-memory.dmp

C:\Users\Admin\AppData\Local\44HQw\bdeunlock.exe

MD5 fef5d67150c249db3c1f4b30a2a5a22e
SHA1 41ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256 dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA512 4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

C:\Users\Admin\AppData\Local\d5V\DUI70.dll

MD5 bc99ee3d529d0e63b2718f83781ffd90
SHA1 a1d8480e3c5e67fa62e9dd48756aea03c6529fdd
SHA256 c0de93766c3f4fdc78db6ba77d713f81d7bc0eaf6719afec7fd83caf999ac6cb
SHA512 e2cc8618998cae69c4562df014fe5b085792625c6ddf5d44bddbe13173d9d6b79eba3ac689adefc4ad4eac97748e489e4239b7514e65ba5c435b543bf919d4bb

C:\Users\Admin\AppData\Local\d5V\osk.exe

MD5 745f2df5beed97b8c751df83938cb418
SHA1 2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25
SHA256 f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51
SHA512 2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mtazevzulblvkh.lnk

MD5 46f7d7dd933e501c83c22c9012d00f21
SHA1 eed5b17666e1f348c19339b9e325232934c58554
SHA256 454e89d38c21c31a3b02b553b2294795d8a6ace2ae35277c8b8bcb1c3c7cdae8
SHA512 d3ec1ad09a6febb591f41c88a93685456fe313d42e6f1057cdb5cf262b7ecbdeba996ad1dc5be25d1957a39031abb9ad953f10fc12a971c9858669a7503977f5

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 07:52

Reported

2025-05-19 07:54

Platform

win11-20250502-en

Max time kernel

150s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wfsmcetjkwodll = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\SMARTA~1\\EtIxCbTf\\tcmsetup.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3248 wrote to memory of 4484 N/A N/A C:\Windows\system32\LicensingUI.exe
PID 3248 wrote to memory of 4484 N/A N/A C:\Windows\system32\LicensingUI.exe
PID 3248 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe
PID 3248 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe
PID 3248 wrote to memory of 2176 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3248 wrote to memory of 2176 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3248 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe
PID 3248 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe
PID 3248 wrote to memory of 724 N/A N/A C:\Windows\system32\cmd.exe
PID 3248 wrote to memory of 724 N/A N/A C:\Windows\system32\cmd.exe
PID 3248 wrote to memory of 5504 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3248 wrote to memory of 5504 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3248 wrote to memory of 4384 N/A N/A C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe
PID 3248 wrote to memory of 4384 N/A N/A C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe
PID 724 wrote to memory of 6076 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe
PID 724 wrote to memory of 6076 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06effa778a2a805203c4af335d725d2b.dll,#1

C:\Windows\system32\LicensingUI.exe

C:\Windows\system32\LicensingUI.exe

C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe

C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe

C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe

C:\Windows\system32\CloudNotifications.exe

C:\Windows\system32\CloudNotifications.exe

C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe

C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\SMARTA~1\EtIxCbTf\tcmsetup.exe

Network

Files

memory/3068-0-0x0000013F0CB70000-0x0000013F0CB77000-memory.dmp

memory/3068-1-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-4-0x00007FF871EB7000-0x00007FF871EB8000-memory.dmp

memory/3248-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/3248-8-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-7-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-58-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-65-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-88-0x00007FF872530000-0x00007FF872540000-memory.dmp

memory/3248-87-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

memory/3248-31-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-66-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-64-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-63-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-62-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-61-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-56-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-55-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-54-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-53-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-52-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-51-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-47-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-41-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-40-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-39-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-38-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-37-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-36-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-35-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-30-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-29-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-28-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-27-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-23-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-24-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-22-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-20-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-19-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-18-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-16-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-15-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3068-13-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-14-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-12-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-10-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-11-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-60-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-59-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-57-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-50-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-48-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-49-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-46-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-44-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-42-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-32-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-33-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-25-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-26-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-21-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3248-17-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/584-95-0x000001E770DB0000-0x000001E770DB7000-memory.dmp

C:\Users\Admin\AppData\Local\KGgFOe2\DUI70.dll

MD5 0058fe61f0b0bbfbc252b792d6902ab9
SHA1 cef8220e9e6f239d2c1ff980fe45f66e86ab1af9
SHA256 8525fe3fc67ff721e151405c148466e95ff5920fa79846fd75665d3cf80236c6
SHA512 4e5a61be3faf8a937b04af96040b83b1b781277174c4ccc9a1ac2123f9a268d4dfa25792043e9fdc6bd5d885a8b87f0a8d4ff97b61196854588ddce0531c47af

C:\Users\Admin\AppData\Local\KGgFOe2\LicensingUI.exe

MD5 6cf5323f1acbeeaddb54389ffeadce84
SHA1 c39bfdb73a0bf5a31c8e0d0d49aebf3e57bb223c
SHA256 0ac952f86c1483b33f94ad1d4fc1fb0cc23e1fe3e36869a7c3bffbc924c4b6e3
SHA512 b8994318867032dc85d75b345792baf0beb2a354b1ab399e9e48af3d7c8abbee9d19d8024e5807cf1f4f7f825ac221aeebe6ad7c858bd0614c6bdc59299b1500

C:\Users\Admin\AppData\Local\9jnHFP2Lj\TAPI32.dll

MD5 8d4d9eb8fcdc81afac7220b2f3a8d964
SHA1 ba6ce569bdbbdf204d02f51c633fda69229748b4
SHA256 3cdf886cff7cb150c588da20966b76a138341423bef3726fa94d9d3c79ff2a35
SHA512 47ff448da211453387ba8c1cbef9a1bcb5d8df1e97cfc0f01e1ec5a246a23e0f78b66af310aadd19b03fbcda22001dbffe97da897b83e6898113c2697116e579

memory/2188-112-0x0000014DEE050000-0x0000014DEE057000-memory.dmp

C:\Users\Admin\AppData\Local\9jnHFP2Lj\tcmsetup.exe

MD5 03c7803a618a385a21ca632c792d8972
SHA1 8b3f67a6e8ca7412487b02b5872d72fb055575f6
SHA256 b192c79cb20ac634178f1ee45bb89b851f936601a4fc0b30241693e7135b73dc
SHA512 9ad56d3d3305ef7db45630e9ff779cedfd17b80e29f91ab056717596a55bb59e968326cc0294543afc490e55a21e2212811ec3b9d54c999d1f57ea07a876908f

memory/3248-9-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Users\Admin\AppData\Local\cvnSB2\UxTheme.dll

MD5 3d869ca5fab4117653cd6928565ce375
SHA1 80b38c9ec8eea1898e9e204c534fab30e1c40eb9
SHA256 032cbf10aca28fb9bbc3be5712715578d939dd1e637ce6a9a9f2d205dcb31d91
SHA512 592a75062b6ffcf8f823c7a530e0e0056f31954359692186266bb7b288dded718e61883a7e8bae14487607a603d8e40030095c4ff882c6f7ebb1f178c9d3828b

C:\Users\Admin\AppData\Local\cvnSB2\CloudNotifications.exe

MD5 994b7de0dc2fa74a629825849149689c
SHA1 b5cffc4428577748efce8acdfba5d6540864e081
SHA256 574257f2ab4dc9fb7fd62ad21fd3f011e03666099f55670363f7c83b9e099fc6
SHA512 be7afc1d122eb077000d877dee2ec1e264122867374821a5d14f16f3f9335f930319c255cc431650a4219c57b2b6b667d33f6d0cfa7433c2d6a6dce4f16261c2

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Devrec.lnk

MD5 a8ab7ebbf5b7f6ca7b0c65a549f163d9
SHA1 a77ab0794ef01f880e65734a673e9c145fa862e6
SHA256 3d63723ffc285058d96ed7adb77c4f01279d1c64decd8823fb7080befabea87e
SHA512 d54455fed8832ba8879663889ab9bcf90a8383a0b8b9011f67d4323a3c901fb856f5ae014986f93838aea8a297773eeec2c6a55f03d240a28995821210370918