Analysis Overview
SHA256
55b224df6ca9593755fd06307b3208bfd8ddee2dcfc66ebab02f172a90cf155d
Threat Level: Shows suspicious behavior
The file e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:20
Reported
2024-04-07 18:23
Platform
win7-20240221-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Yrib\bamed.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7770FDC8-846D-AD4E-26F1-2C003EAC0F1D} = "C:\\Users\\Admin\\AppData\\Roaming\\Yrib\\bamed.exe" | C:\Users\Admin\AppData\Roaming\Yrib\bamed.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 996 set thread context of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\cmd.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Yrib\bamed.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Yrib\bamed.exe
"C:\Users\Admin\AppData\Roaming\Yrib\bamed.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpae6e0ada.bat"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1504921251-16068321974138200161081262029-5459315101976628977-330411607-1834900375"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 112
Network
| Country | Destination | Domain | Proto |
| LT | 178.19.25.92:25939 | udp | |
| PT | 94.62.27.189:28510 | udp | |
| US | 184.226.209.60:13724 | udp | |
| US | 24.176.16.81:24144 | udp | |
| US | 74.140.168.196:16814 | udp | |
| US | 99.90.38.37:17195 | udp | |
| JP | 114.148.255.187:25178 | udp | |
| UA | 178.54.12.177:18367 | udp | |
| IT | 79.4.241.217:29455 | udp |
Files
memory/996-0-0x0000000000290000-0x00000000002D1000-memory.dmp
memory/996-2-0x0000000000400000-0x0000000000441000-memory.dmp
memory/996-4-0x0000000000400000-0x0000000000441000-memory.dmp
memory/996-1-0x0000000000360000-0x00000000003B8000-memory.dmp
memory/996-5-0x0000000000400000-0x0000000000441000-memory.dmp
\Users\Admin\AppData\Roaming\Yrib\bamed.exe
| MD5 | 4060467fa300967e2bf5cd96c411a92a |
| SHA1 | 76bd3f2d690eaa845d19439ed067c462ef5031fa |
| SHA256 | d8419a71ee470784358086a5353af48c79dfb6300fb5a3fd444d96d3f8875b6d |
| SHA512 | 0f33a6ae0517f44fe1b86c4df05f6eddfcccd30581d4122e112dc914c5735d8ef2e3ed65766e5614f4393cf1451a92fcc19841f9c2601ec6f298616832143b1e |
memory/1080-17-0x0000000000320000-0x0000000000361000-memory.dmp
memory/2500-16-0x00000000005F0000-0x0000000000631000-memory.dmp
memory/1080-19-0x0000000000320000-0x0000000000361000-memory.dmp
memory/2500-20-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2500-18-0x0000000001BE0000-0x0000000001C38000-memory.dmp
memory/1080-22-0x0000000000320000-0x0000000000361000-memory.dmp
memory/1080-24-0x0000000000320000-0x0000000000361000-memory.dmp
memory/1080-26-0x0000000000320000-0x0000000000361000-memory.dmp
memory/1180-30-0x0000000000240000-0x0000000000281000-memory.dmp
memory/1180-32-0x0000000000240000-0x0000000000281000-memory.dmp
memory/1180-34-0x0000000000240000-0x0000000000281000-memory.dmp
memory/1180-36-0x0000000000240000-0x0000000000281000-memory.dmp
memory/1212-39-0x0000000002DD0000-0x0000000002E11000-memory.dmp
memory/1212-40-0x0000000002DD0000-0x0000000002E11000-memory.dmp
memory/1212-41-0x0000000002DD0000-0x0000000002E11000-memory.dmp
memory/1212-42-0x0000000002DD0000-0x0000000002E11000-memory.dmp
memory/1732-44-0x00000000021E0000-0x0000000002221000-memory.dmp
memory/1732-45-0x00000000021E0000-0x0000000002221000-memory.dmp
memory/1732-46-0x00000000021E0000-0x0000000002221000-memory.dmp
memory/1732-47-0x00000000021E0000-0x0000000002221000-memory.dmp
memory/996-49-0x00000000004B0000-0x00000000004F1000-memory.dmp
memory/996-50-0x00000000004B0000-0x00000000004F1000-memory.dmp
memory/996-51-0x00000000004B0000-0x00000000004F1000-memory.dmp
memory/996-52-0x00000000004B0000-0x00000000004F1000-memory.dmp
memory/996-53-0x00000000004B0000-0x00000000004F1000-memory.dmp
memory/996-55-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-54-0x00000000004B0000-0x00000000004F1000-memory.dmp
memory/996-57-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-59-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-61-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-63-0x00000000774C0000-0x00000000774C1000-memory.dmp
memory/996-64-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-66-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-68-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-70-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-74-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-72-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-82-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-80-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-78-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-76-0x0000000000450000-0x0000000000451000-memory.dmp
memory/996-148-0x0000000000450000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Roaming\Cicyn\ifxuy.voe
| MD5 | 6eec68a30d02befefeea69ec678db7f7 |
| SHA1 | c3f0507747f008d80bd65c7f61678b6d322e3941 |
| SHA256 | d7be2673a25b66034f6bc705517928833614009481402ae484046299e2344e88 |
| SHA512 | d63564c2887b1aa4aa97bf053072f49c09637fa3bb450bed61eb208eb9169a14287161f268a83938f5f7dbb2959f09172c8847821ef1045abae949c64c8a0e05 |
memory/996-171-0x0000000000400000-0x0000000000441000-memory.dmp
memory/996-172-0x00000000004B0000-0x00000000004F1000-memory.dmp
memory/1568-189-0x00000000774C0000-0x00000000774C1000-memory.dmp
memory/1568-187-0x00000000774C0000-0x00000000774C1000-memory.dmp
memory/1568-185-0x0000000000C80000-0x0000000000CC1000-memory.dmp
memory/1568-283-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1568-284-0x0000000000C80000-0x0000000000CC1000-memory.dmp
memory/2500-285-0x0000000000400000-0x0000000000441000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:20
Reported
2024-04-07 18:23
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e590aaff79ca23eee0a6b4876bd8d75a_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/3972-0-0x0000000000A50000-0x0000000000A91000-memory.dmp
memory/3972-1-0x0000000002290000-0x00000000022E8000-memory.dmp
memory/3972-2-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3972-3-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3972-5-0x0000000002290000-0x00000000022E8000-memory.dmp