Analysis Overview
SHA256
4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
Threat Level: Shows suspicious behavior
The file bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 17:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 17:53
Reported
2024-04-04 17:56
Platform
win7-20231129-en
Max time kernel
149s
Max time network
117s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipcorver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdktend = "C:\\Users\\Admin\\AppData\\Roaming\\ciphtune\\cleaubst.exe" | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ipcorver.exe | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe
"C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe"
C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp
"C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp"
C:\Windows\SysWOW64\ipcorver.exe
C:\Windows\SysWOW64\ipcorver.exe -k
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 260
Network
Files
memory/1972-0-0x0000000000230000-0x000000000026E000-memory.dmp
\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe
| MD5 | 8f8632b957108d710d90dec7f3d02aab |
| SHA1 | acf3b1bcdfea0c49a1c8583950f113ef241ecb2b |
| SHA256 | 864a91ece964b2d235ece6f79ee823f92404183ca12bcd2db457ddccce65d068 |
| SHA512 | 50da571536c63e1eaf334631ccb9575dd464283cec897d0d1b37d4d1fc0b10281a105fbae5f10cfb0aa61cbc9b6108829caf87bba804f4090626fec529f8d50e |
memory/948-11-0x0000000000180000-0x00000000001BE000-memory.dmp
memory/1376-16-0x0000000002AC0000-0x0000000002B01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp
| MD5 | dd82fd50b49849e5554a7edae2bb78bb |
| SHA1 | 63106cfe3d3a1d60be2d44e1218fb3ce9afe686c |
| SHA256 | c4bece33fde62ec6fa1fe0a6b4b23f7106d759134ed72794d8086fe68ace561c |
| SHA512 | af8b5b3b46af78d1382689cf7e92adfa78ef4326c3a96624970502f9955ed6c17917389d525918983fe88fae04f95ae533e4e9a20da161d599d17c48270e6b76 |
memory/1376-18-0x0000000002AC0000-0x0000000002B01000-memory.dmp
memory/1376-17-0x0000000002AC0000-0x0000000002B01000-memory.dmp
C:\Windows\SysWOW64\ipcorver.exe
| MD5 | bedc21cc9bb6cc278ba47dee9f32dc27 |
| SHA1 | 7c8d177753fcf3f1afb578895e8e852a6bd75c55 |
| SHA256 | 4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa |
| SHA512 | 46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216 |
memory/1884-26-0x0000000000120000-0x000000000015E000-memory.dmp
memory/1884-27-0x0000000000120000-0x000000000015E000-memory.dmp
memory/1884-28-0x0000000000120000-0x000000000015E000-memory.dmp
memory/1972-30-0x0000000000230000-0x000000000026E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 17:53
Reported
2024-04-04 17:56
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~36BB.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dpapance.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecEmote = "C:\\Users\\Admin\\AppData\\Roaming\\icsuhone\\PickdVol.exe" | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\dpapance.exe | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5004 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe |
| PID 5004 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe |
| PID 5004 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe |
| PID 4692 wrote to memory of 664 | N/A | C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe | C:\Users\Admin\AppData\Local\Temp\~36BB.tmp |
| PID 4692 wrote to memory of 664 | N/A | C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe | C:\Users\Admin\AppData\Local\Temp\~36BB.tmp |
| PID 664 wrote to memory of 3428 | N/A | C:\Users\Admin\AppData\Local\Temp\~36BB.tmp | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe
"C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe"
C:\Windows\SysWOW64\dpapance.exe
C:\Windows\SysWOW64\dpapance.exe -k
C:\Users\Admin\AppData\Local\Temp\~36BB.tmp
"C:\Users\Admin\AppData\Local\Temp\~36BB.tmp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5004 -ip 5004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 684
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/5004-0-0x0000000000DB0000-0x0000000000DEE000-memory.dmp
C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe
| MD5 | ea31c5b4d65b294112d426d4cb069eff |
| SHA1 | 18d553cb4ec616d6b1aeb004c92fa2c4a988ffa7 |
| SHA256 | 9feb8247ab869d58bb6af8cca66287a383875e8666393769f19ccb41abaa0cea |
| SHA512 | b78c4bdf211c3d3e36f8b765ec776a6a3e26a6f0d366fd5fa560720c3140e1498bc73d8791550a5cb4751ad86f34919a6b44a9daa0f1db7d001a44f2c1b65082 |
memory/4692-6-0x0000000000150000-0x000000000018E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~36BB.tmp
| MD5 | 05259b1cd4005deca335367b98ca7b98 |
| SHA1 | b72274d8ff8a79d474a24a7210820bdada57ffda |
| SHA256 | 0aebee970b0e915bf0cfe5ee84bdc0421957e797c15e2b5f4ec22b95be5df110 |
| SHA512 | eec6a04b937ac9398b7dd91f0b4774172172c7dd0752f502b4866c0a3ba08256909cd8134a3162e9ae93aa9bb63d99631b1d68077dc7cf07565d32cc30c6b45b |
memory/3428-12-0x00000000083F0000-0x0000000008431000-memory.dmp
memory/1392-14-0x0000000000B50000-0x0000000000B8E000-memory.dmp
C:\Windows\SysWOW64\dpapance.exe
| MD5 | bedc21cc9bb6cc278ba47dee9f32dc27 |
| SHA1 | 7c8d177753fcf3f1afb578895e8e852a6bd75c55 |
| SHA256 | 4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa |
| SHA512 | 46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216 |
memory/1392-16-0x0000000000B50000-0x0000000000B8E000-memory.dmp
memory/3428-15-0x00000000083F0000-0x0000000008431000-memory.dmp
memory/1392-19-0x0000000000B50000-0x0000000000B8E000-memory.dmp
memory/5004-23-0x0000000000DB0000-0x0000000000DEE000-memory.dmp