Malware Analysis Report

2025-03-14 22:27

Sample ID 240407-3cnvnshg37
Target e6197af7dcf03ccb337e9547fe471008_JaffaCakes118
SHA256 9dc22d0efad27e9cadc12effd11cfc0e8c4cc8fb4fb5246e1610a61219d083a0
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9dc22d0efad27e9cadc12effd11cfc0e8c4cc8fb4fb5246e1610a61219d083a0

Threat Level: Shows suspicious behavior

The file e6197af7dcf03ccb337e9547fe471008_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:24

Platform

win7-20240319-en

Max time kernel

150s

Max time network

125s

Command Line

"taskhost.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C86033AC-560D-73FA-12C3-AA3B62A0C789} = "C:\\Users\\Admin\\AppData\\Roaming\\Cuatam\\qowoa.exe" C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1932 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1908 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 1908 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 1908 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 1908 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2484 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe
PID 2668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\taskhost.exe
PID 2668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\taskhost.exe
PID 2668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\taskhost.exe
PID 2668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\taskhost.exe
PID 2668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\taskhost.exe
PID 2668 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\Dwm.exe
PID 2668 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\Dwm.exe
PID 2668 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\Dwm.exe
PID 2668 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\Dwm.exe
PID 2668 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\Dwm.exe
PID 2668 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\Explorer.EXE
PID 2668 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\Explorer.EXE
PID 2668 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\Explorer.EXE
PID 2668 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\Explorer.EXE
PID 2668 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\Explorer.EXE
PID 2668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 2668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 2668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 2668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 2668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 1908 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe
PID 2668 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe
PID 2668 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe
PID 2668 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe
PID 2668 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe
PID 2668 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe
PID 2668 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe
PID 2668 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe

"C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe"

C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe

"C:\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf2f81ca9.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 384

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp
RU 109.68.191.207:80 109.68.191.207 tcp

Files

memory/1932-0-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1932-4-0x0000000003B60000-0x0000000003D68000-memory.dmp

memory/1908-3-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1932-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1908-7-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1908-8-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1908-10-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1908-11-0x0000000000400000-0x0000000000427000-memory.dmp

\Users\Admin\AppData\Roaming\Cuatam\qowoa.exe

MD5 d0d5a7c7e634cdc076879c8427523d9e
SHA1 d1a3c182141f60f2c1ece7fac0de0553998ce6a2
SHA256 81fbf2d55070eb77bc5c9e13c57a72c255c41f0bcd6331af5cff9fdad72ac299
SHA512 e72028fd8f1d1383aa6f8a37355b108fea0e9344adefb9f24bd53fb0430b40f07ad56db380869a730df569fffc27b3d5cbe8501403a6180c7b5452716949269f

memory/1908-20-0x0000000002330000-0x0000000002538000-memory.dmp

memory/1908-22-0x0000000002330000-0x0000000002538000-memory.dmp

memory/2484-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2484-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2668-32-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1116-35-0x0000000001C60000-0x0000000001C87000-memory.dmp

memory/1116-38-0x0000000001C60000-0x0000000001C87000-memory.dmp

memory/1224-43-0x0000000001C60000-0x0000000001C87000-memory.dmp

memory/1244-46-0x00000000026E0000-0x0000000002707000-memory.dmp

memory/1244-48-0x00000000026E0000-0x0000000002707000-memory.dmp

memory/1908-54-0x0000000000270000-0x0000000000297000-memory.dmp

memory/1908-56-0x0000000000270000-0x0000000000297000-memory.dmp

memory/1908-52-0x0000000000270000-0x0000000000297000-memory.dmp

memory/1908-50-0x0000000000270000-0x0000000000297000-memory.dmp

memory/1908-58-0x0000000000270000-0x0000000000297000-memory.dmp

memory/1244-47-0x00000000026E0000-0x0000000002707000-memory.dmp

memory/1244-45-0x00000000026E0000-0x0000000002707000-memory.dmp

memory/1116-37-0x0000000001C60000-0x0000000001C87000-memory.dmp

memory/1116-36-0x0000000001C60000-0x0000000001C87000-memory.dmp

memory/1116-34-0x0000000001C60000-0x0000000001C87000-memory.dmp

memory/1908-61-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2404-66-0x0000000000230000-0x0000000000257000-memory.dmp

memory/2404-65-0x0000000000230000-0x0000000000257000-memory.dmp

memory/2404-64-0x0000000000230000-0x0000000000257000-memory.dmp

memory/2404-63-0x0000000000230000-0x0000000000257000-memory.dmp

memory/2404-67-0x0000000000230000-0x0000000000257000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpf2f81ca9.bat

MD5 f68a68f3329bf1423b78873cd1af6435
SHA1 b0a9e64b293f19d1044bb8acbb0c012a8cb7b979
SHA256 11cfb9b9176bec5e53a0c10790db58ffaf21aab24789933ef8d71ab00fed036f
SHA512 eeb9e88c51bf2c35aae7fe094de283baa9a7e33a8daffea7a1bace044bdb6c722ccccf9b273238151238fb71ca6479b96a5b4c1a17a831a2eac8bebab2610c39

memory/2404-69-0x0000000000230000-0x0000000000257000-memory.dmp

memory/2576-71-0x0000000000050000-0x0000000000077000-memory.dmp

memory/2576-72-0x0000000000050000-0x0000000000077000-memory.dmp

memory/2576-73-0x0000000000050000-0x0000000000077000-memory.dmp

memory/2668-79-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2668-81-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2668-80-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2576-75-0x0000000000050000-0x0000000000077000-memory.dmp

memory/2668-82-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2668-78-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2668-77-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2668-76-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2576-74-0x0000000000050000-0x0000000000077000-memory.dmp

memory/524-84-0x0000000003A50000-0x0000000003A77000-memory.dmp

memory/524-85-0x0000000003A50000-0x0000000003A77000-memory.dmp

memory/524-86-0x0000000003A50000-0x0000000003A77000-memory.dmp

memory/524-87-0x0000000003A50000-0x0000000003A77000-memory.dmp

memory/2460-89-0x0000000000120000-0x0000000000147000-memory.dmp

memory/2668-95-0x0000000000400000-0x0000000000427000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:25

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe
PID 704 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6197af7dcf03ccb337e9547fe471008_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/704-0-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5056-3-0x0000000000400000-0x0000000000427000-memory.dmp

memory/704-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5056-6-0x0000000000400000-0x0000000000427000-memory.dmp

memory/5056-7-0x0000000000400000-0x0000000000427000-memory.dmp

memory/5056-8-0x00000000005D0000-0x0000000000699000-memory.dmp

memory/5056-9-0x0000000000400000-0x0000000000427000-memory.dmp