Analysis Overview
SHA256
a99d97ddfd8fe18d735e8f849a532558f3b6f71b105770d391957c160708bcbc
Threat Level: Shows suspicious behavior
The file b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 13:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 13:37
Reported
2024-04-04 13:40
Platform
win7-20240221-en
Max time kernel
155s
Max time network
131s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMAcerpt\autoPlay.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~677A.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cleaethc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMAcerpt\autoPlay.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\PATHhone = "C:\\Users\\Admin\\AppData\\Roaming\\RMAcerpt\\autoPlay.exe" | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\cleaethc.exe | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMAcerpt\autoPlay.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\RMAcerpt\autoPlay.exe
"C:\Users\Admin\AppData\Roaming\RMAcerpt"
C:\Users\Admin\AppData\Local\Temp\~677A.tmp
1196 250376 2396 1
C:\Windows\SysWOW64\cleaethc.exe
C:\Windows\SysWOW64\cleaethc.exe -s
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 252
Network
Files
memory/1416-0-0x0000000000320000-0x0000000000367000-memory.dmp
\Users\Admin\AppData\Roaming\RMAcerpt\autoPlay.exe
| MD5 | 219f0b1f8afe41cd45c07cbc09a5e24e |
| SHA1 | 9bba33be75c3cd1268d41160979b828608d0602e |
| SHA256 | 8b8055bb0ed200ddeb2832e6b3bc64d54b2a61ecc6840531fa5d96a0eb7e6a75 |
| SHA512 | 62d18ba97803d430804ed6bdb2444fbd5b5cf4fe2bea5b758c08a2cc5ca7ba64d3e60d8df18beb2b17d2d78f6a475c2ffe2c3688338066bf6777c019864f43f7 |
memory/2396-13-0x00000000002D0000-0x0000000000317000-memory.dmp
memory/2396-14-0x00000000003B0000-0x00000000003B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\~677A.tmp
| MD5 | aac3165ece2959f39ff98334618d10d9 |
| SHA1 | 020a191bfdc70c1fbd3bf74cd7479258bd197f51 |
| SHA256 | 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 |
| SHA512 | 9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf |
memory/1196-19-0x0000000002AB0000-0x0000000002AFD000-memory.dmp
memory/2612-23-0x0000000000390000-0x0000000000396000-memory.dmp
memory/2612-22-0x0000000000320000-0x0000000000367000-memory.dmp
memory/1196-21-0x0000000002AB0000-0x0000000002AFD000-memory.dmp
memory/1196-17-0x0000000002AB0000-0x0000000002AFD000-memory.dmp
memory/2612-25-0x0000000000380000-0x0000000000386000-memory.dmp
memory/2612-29-0x0000000000380000-0x0000000000386000-memory.dmp
memory/1196-31-0x0000000002B60000-0x0000000002B6D000-memory.dmp
memory/1196-27-0x0000000002B50000-0x0000000002B56000-memory.dmp
memory/1416-34-0x0000000000320000-0x0000000000367000-memory.dmp
memory/2612-35-0x0000000000380000-0x0000000000386000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 13:37
Reported
2024-04-04 13:39
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\prevmote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~6A81.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fixmburn = "C:\\Users\\Admin\\AppData\\Roaming\\MRINubst\\Gamedctr.exe" | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\prevmote.exe | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4412 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe |
| PID 4412 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe |
| PID 4412 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe |
| PID 1480 wrote to memory of 1028 | N/A | C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe | C:\Users\Admin\AppData\Local\Temp\~6A81.tmp |
| PID 1480 wrote to memory of 1028 | N/A | C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe | C:\Users\Admin\AppData\Local\Temp\~6A81.tmp |
| PID 1028 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\~6A81.tmp | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe
"C:\Users\Admin\AppData\Roaming\MRINubst"
C:\Windows\SysWOW64\prevmote.exe
C:\Windows\SysWOW64\prevmote.exe -s
C:\Users\Admin\AppData\Local\Temp\~6A81.tmp
3488 250376 1480 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 4412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
memory/4412-0-0x00000000000D0000-0x0000000000117000-memory.dmp
C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe
| MD5 | b4415dfb23ca836e2d9644a08cea259e |
| SHA1 | f0d85f83dc734667bdc40979f04084c6f60cc5d8 |
| SHA256 | fce8614e61613b6042d72af9540a52ad6e9ee35caa997f046fd46a997960e720 |
| SHA512 | 20b575063a33c854a7e4c59c6b9d3e5b7c1f2fadffbb596af513bb0a34d3e28d44b21c0bbfd80d2252ce696bc2c7778fae53300b6cca4424d8cf195cac194a12 |
memory/1480-7-0x00000000000D0000-0x0000000000117000-memory.dmp
memory/3488-16-0x0000000004CF0000-0x0000000004D3D000-memory.dmp
memory/3392-17-0x00000000001B0000-0x00000000001B6000-memory.dmp
memory/3392-15-0x0000000000920000-0x0000000000926000-memory.dmp
memory/3392-21-0x00000000000D0000-0x0000000000117000-memory.dmp
memory/3488-22-0x0000000008360000-0x000000000836D000-memory.dmp
memory/3488-20-0x0000000008350000-0x0000000008356000-memory.dmp
memory/3392-18-0x00000000001B0000-0x00000000001B6000-memory.dmp
memory/3488-14-0x0000000004CF0000-0x0000000004D3D000-memory.dmp
memory/1480-13-0x00000000001C0000-0x00000000001C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~6A81.tmp
| MD5 | aac3165ece2959f39ff98334618d10d9 |
| SHA1 | 020a191bfdc70c1fbd3bf74cd7479258bd197f51 |
| SHA256 | 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 |
| SHA512 | 9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf |
memory/4412-25-0x00000000000D0000-0x0000000000117000-memory.dmp
memory/3392-26-0x00000000001B0000-0x00000000001B6000-memory.dmp