Analysis Overview
SHA256
8e6c49b05813f0887f6efef38a0088ee56b701638b59c5d05803a5e77041ead8
Threat Level: Shows suspicious behavior
The file e55eea88697151e211ff353fad78c9c6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 16:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 16:35
Reported
2024-04-07 16:38
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2880 set thread context of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\lshss.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rsae4a7c.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA4.tmp"
C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Users\Admin\AppData\Roaming\lshss.exe
Network
Files
memory/2880-1-0x0000000000AB0000-0x0000000000AF0000-memory.dmp
memory/2880-0-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/2880-2-0x0000000074C60000-0x000000007520B000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rsae4a7c.cmdline
| MD5 | 811dea3fe6080d0741bbcb85e4cce04c |
| SHA1 | b1b83a8bae64bad44515202637b0a31eeb3d8039 |
| SHA256 | f48e817dcce75e1bfa667a7509ff3f082c930bd2141b3de45157b5f2f0ce6135 |
| SHA512 | f20a13bc644a300f3cfe3bda46941cda9646635edb001f4f05e9f2fa197a1663175991bdf52c05374093d4a0810cc334021bae87c2b97eca4e765a4fc0b88946 |
\??\c:\Users\Admin\AppData\Local\Temp\rsae4a7c.0.cs
| MD5 | b63430207638c1a36b9b27002e0da3da |
| SHA1 | 54356082f32c71498c4ac5f85f4588e0d1c57ad0 |
| SHA256 | fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193 |
| SHA512 | 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBA4.tmp
| MD5 | 73840ab6dfe2e2e2ddad556b38f495e3 |
| SHA1 | fc4fb5ed3ce6cd98dc65ab51802da3b342cd4fde |
| SHA256 | daa318ed5cc62ab952a666577ff130ae672b823be21759d32f707008d3d4dd1d |
| SHA512 | 65df3ada9cfbd7709442777f33dfe1d83944f0efb3201f5a4fe96cd9f30616bab0b275af8300f96fe3314d0a65bc7192f9a312cb2ca11d5c9d176faed535196f |
C:\Users\Admin\AppData\Local\Temp\rsae4a7c.dll
| MD5 | cda3ee1d78971975bac1f859868ef6f0 |
| SHA1 | e0e7e56a8e6d87d5e090a8288f6bda53f81d90e4 |
| SHA256 | 73ce157804d85d457cc8519a23c4c47390456a349809e523768e2ffbb7c50f97 |
| SHA512 | ae55a00d683c9e2189d0ed2532b2e02a6e5e7ea9dee9ce1ed7d5dabe2dbee59c22bee2dbda66f5cbfa874f799fd9c6597bf647506a99bc6d11a562dc5619cee3 |
C:\Users\Admin\AppData\Local\Temp\RESBA5.tmp
| MD5 | e2b5062872991a3773016ffba6c3eedf |
| SHA1 | b328fcc03aa0a03fd2791b8dd2cf1f349df281a1 |
| SHA256 | 74f17feb3bd1ec2f57c50dbb67436351c91f55a379fceb30a8f3eaddfc709521 |
| SHA512 | 800822a3eec478c7b2787aa4591529a457300ed66d74be0985dad0f653f6a6f3ba703a0595c697181712304c24c1368de8cddcc55e1dc1afa8472fbba85732ac |
\Users\Admin\AppData\Roaming\lshss.exe
| MD5 | 13d0d61085689f96c51116d270aa3b2e |
| SHA1 | dcc67b7aa625cb1ab1ce95e162c8c47dd5339b9e |
| SHA256 | cfac93f70813676cce818d22437ef49fc03ad669be219f5f8e9b36058d05712b |
| SHA512 | ee443a16dff0f46b9ba448075bdbe6110568989e9b39eff30fa3e7e5f200a816f4e20df49fddb588afbd3c7bf3a277ccadc744015af34a2e5bf8c4cc08e5dbd1 |
memory/2996-23-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2996-24-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2996-27-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2996-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2996-26-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2996-30-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2996-25-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2880-34-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/2996-33-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2996-35-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2996-38-0x0000000000400000-0x0000000000457000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 16:35
Reported
2024-04-07 16:38
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 5076 | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\lshss.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skpbvwxf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC40D2.tmp"
C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Users\Admin\AppData\Roaming\lshss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1732-0-0x0000000074770000-0x0000000074D21000-memory.dmp
memory/1732-1-0x0000000001180000-0x0000000001190000-memory.dmp
memory/1732-2-0x0000000074770000-0x0000000074D21000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\skpbvwxf.cmdline
| MD5 | 673de56976ef48788b29952e9e68b588 |
| SHA1 | 3749eb1a10241d0ef9fdae88776350a2379c1dc0 |
| SHA256 | a908ccea145de5a4a47e547c1904035c11e2fbaa96eec78f0f50b97701d61a8b |
| SHA512 | 3118305a898dc8936123b548fe1055052831aeae4c28d3547a8b74c5f02be01b24bc527e7990e6733b1f4f3e112c5fa66fb6d0375584497a77b6a8b4c00d43c3 |
\??\c:\Users\Admin\AppData\Local\Temp\skpbvwxf.0.cs
| MD5 | b63430207638c1a36b9b27002e0da3da |
| SHA1 | 54356082f32c71498c4ac5f85f4588e0d1c57ad0 |
| SHA256 | fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193 |
| SHA512 | 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737 |
memory/1788-9-0x0000000000940000-0x0000000000950000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC40D2.tmp
| MD5 | 18a3c7778a435ef6ab236f0e34585291 |
| SHA1 | b00222d4c1dd9eeb03f869918317498321b13d66 |
| SHA256 | 5e0b843c20c452070f8bbb14c176db0fef75c2063000044dcfe2aaf57b1c7f6a |
| SHA512 | 89bc57544f608c6f1824219ab54666ffad5dc0bac98f8582c57c8ea4800d02db1bce523b6f184bd3e26771055f070946bdae6fa7d6ec82e6c5155c5509ecfccb |
C:\Users\Admin\AppData\Local\Temp\RES40D3.tmp
| MD5 | 292adfef19aa8825d14fba86fa18c86b |
| SHA1 | 0371d69282e6327313a63c72a92f961e13909104 |
| SHA256 | fc788567d7ad1022dd9cc6802dd802d979f7816224e3db2738433b1f11cb0b9a |
| SHA512 | eed53863fa8b20f96960744ee4f1ddfb07ce90d50be6a75df5e50ba5c413ab7a9bf1349f90a06c63cc1faa85806b5185bfa092094d9335fb8295097fd3ffd305 |
C:\Users\Admin\AppData\Local\Temp\skpbvwxf.dll
| MD5 | 1c3e4c3bd5307d66e867991a3120f374 |
| SHA1 | 4118f18c6b241f34653b6e716a8a714ec03559c1 |
| SHA256 | dac4ab449f50f0d8490949b44f8ddcdcef3e618a16b309aee3add39084221d94 |
| SHA512 | cfedf77b2c57a4d0478e6e17004f5a9041790ba0dd5083a7a55abf833edea7987c7e1168c1c77158449ffef38723a3e7e94343385365f92acba7d37d2b875eda |
memory/5076-19-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\lshss.exe
| MD5 | 13d0d61085689f96c51116d270aa3b2e |
| SHA1 | dcc67b7aa625cb1ab1ce95e162c8c47dd5339b9e |
| SHA256 | cfac93f70813676cce818d22437ef49fc03ad669be219f5f8e9b36058d05712b |
| SHA512 | ee443a16dff0f46b9ba448075bdbe6110568989e9b39eff30fa3e7e5f200a816f4e20df49fddb588afbd3c7bf3a277ccadc744015af34a2e5bf8c4cc08e5dbd1 |
memory/5076-24-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1732-25-0x0000000074770000-0x0000000074D21000-memory.dmp
memory/5076-29-0x0000000000400000-0x0000000000457000-memory.dmp
memory/5076-26-0x0000000000400000-0x0000000000457000-memory.dmp