Analysis Overview
SHA256
5d94b24f251b4fd9b9a59a3d60b86512528add9c95a880d8e32e76b1f54b8eea
Threat Level: Known bad
The file e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Remcos
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 02:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 02:39
Reported
2024-04-07 02:42
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5056 set thread context of 4792 | N/A | C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XeTozECCRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C94.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp | |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/5056-0-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/5056-1-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/5056-2-0x0000000000BF0000-0x0000000000C00000-memory.dmp
memory/5056-3-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/5056-4-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/5056-5-0x0000000000BF0000-0x0000000000C00000-memory.dmp
memory/5056-6-0x0000000000BF0000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4C94.tmp
| MD5 | 3e084bf3421c235b89ac83bfbe0c147d |
| SHA1 | e50858c01350b1e9e415f64818cb654f879faae1 |
| SHA256 | 3d6cd6a52551b0baeb8d885a267c31425ebbf816c8c37149b51161f4ec92959f |
| SHA512 | 9f2110ae6b612caef382c70ff40f3bd2cf1496d56d36af82fcac3751f274e511e5cec7aae90d1a1174860f032281ca72316120bd5df49ad600a982352e670158 |
memory/4792-10-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-11-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-13-0x0000000000400000-0x0000000000479000-memory.dmp
memory/5056-15-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/4792-16-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-17-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-18-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-19-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-20-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-21-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-22-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-23-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-24-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-25-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4792-26-0x0000000000400000-0x0000000000479000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 02:39
Reported
2024-04-07 02:42
Platform
win7-20240221-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1984 set thread context of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3ded559a419a2ffadc6d56fa4884a6f_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XeTozECCRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp98E5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp | |
| HK | 172.111.234.10:8088 | tcp |
Files
memory/1984-2-0x00000000007D0000-0x0000000000810000-memory.dmp
memory/1984-1-0x0000000074120000-0x00000000746CB000-memory.dmp
memory/1984-0-0x0000000074120000-0x00000000746CB000-memory.dmp
memory/1984-3-0x0000000074120000-0x00000000746CB000-memory.dmp
memory/1984-4-0x00000000007D0000-0x0000000000810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp98E5.tmp
| MD5 | e65c566553729bc6f398e62bb8c7267d |
| SHA1 | 2b10d77726aa58a7f88eb55bb48af1b5b50ae898 |
| SHA256 | be7b32c1d7a9caae5ccef4cd54318acb3427143662b4b78c0c090c47fad59b59 |
| SHA512 | c627941baf1c689858ed197033e6a51fdacc35b6a1a1db095aff552291fbb37f9ad40540af787b7b90039e5e6ce572d11a9d31f65159ad80c0299b102b4567ed |
memory/2604-8-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-10-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-11-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-12-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-13-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-14-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-15-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-16-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2604-19-0x0000000000400000-0x0000000000479000-memory.dmp
memory/1984-22-0x0000000074120000-0x00000000746CB000-memory.dmp
memory/2604-23-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-21-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-24-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-25-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-26-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-27-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2604-28-0x0000000000400000-0x0000000000479000-memory.dmp