Analysis Overview
SHA256
e1130b856161680a39ebf5d759bd25663b598e69b6ef68721933958ac644a496
Threat Level: Known bad
The file e307bef30d37b965e01405176a9e30fe_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SectopRAT payload
SectopRAT
RedLine
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-06 18:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 18:47
Reported
2024-04-06 18:49
Platform
win7-20240215-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1512 set thread context of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
Files
memory/1512-0-0x0000000000DE0000-0x0000000000E44000-memory.dmp
memory/1512-1-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/1512-2-0x0000000004AD0000-0x0000000004B10000-memory.dmp
memory/2228-3-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2228-4-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2228-5-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2228-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2228-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2228-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2228-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1512-13-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/2228-14-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2228-15-0x0000000074950000-0x000000007503E000-memory.dmp
memory/2228-16-0x0000000004EF0000-0x0000000004F30000-memory.dmp
memory/2228-17-0x0000000074950000-0x000000007503E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 18:47
Reported
2024-04-06 18:49
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1420 set thread context of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salkefard.xyz | udp |
Files
memory/1420-0-0x0000000000550000-0x00000000005B4000-memory.dmp
memory/1420-1-0x0000000075070000-0x0000000075820000-memory.dmp
memory/1420-2-0x0000000004EE0000-0x0000000004F56000-memory.dmp
memory/1420-4-0x0000000004E90000-0x0000000004EAE000-memory.dmp
memory/1420-3-0x0000000005130000-0x0000000005140000-memory.dmp
memory/1420-5-0x00000000056F0000-0x0000000005C94000-memory.dmp
memory/4500-6-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e307bef30d37b965e01405176a9e30fe_JaffaCakes118.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4500-10-0x0000000005770000-0x0000000005D88000-memory.dmp
memory/4500-9-0x0000000075070000-0x0000000075820000-memory.dmp
memory/1420-11-0x0000000075070000-0x0000000075820000-memory.dmp
memory/4500-12-0x0000000002CD0000-0x0000000002CE2000-memory.dmp
memory/4500-13-0x0000000005290000-0x00000000052CC000-memory.dmp
memory/4500-14-0x0000000005430000-0x0000000005440000-memory.dmp
memory/4500-15-0x00000000052D0000-0x000000000531C000-memory.dmp
memory/4500-16-0x0000000005550000-0x000000000565A000-memory.dmp
memory/4500-17-0x0000000075070000-0x0000000075820000-memory.dmp
memory/4500-18-0x0000000005430000-0x0000000005440000-memory.dmp