Analysis Overview
SHA256
bcbc3eac0f777f27bdacb1cdade005bf50860fded0fa39205a66f5c9560ab80e
Threat Level: Known bad
The file eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AsyncRat
LimeRAT
Async RAT payload
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 12:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 12:48
Reported
2024-04-10 12:50
Platform
win7-20240221-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
AsyncRat
LimeRAT
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Untitled1.bat" > NUL"
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe
SocialExtractor.exe
C:\Users\Admin\AppData\Roaming\Microsoft\client.exe
client.exe
C:\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp" /SL5="$70120,1346769,130560,C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'scvhost"' /tr "'C:\Users\Admin\AppData\Roaming\scvhost.exe"'
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\scvhost.exe
"C:\Users\Admin\AppData\Roaming\scvhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| FR | 51.254.177.155:7071 | tcp | |
| FR | 51.254.177.155:5051 | tcp | |
| FR | 51.254.177.155:7071 | tcp | |
| FR | 51.254.177.155:5051 | tcp | |
| FR | 51.254.177.155:7071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Untitled1.bat
| MD5 | c86aebc029adf9aaab1211939c01e999 |
| SHA1 | 93e408eb832c9c1ee60652cf2b5a2185c76f704d |
| SHA256 | 60ae8673855a220d7fe13b7f8a40669431682caac3a64d67cac7edf0f8030776 |
| SHA512 | 27505b95e93f91f0bd288ae2a4532ad041caa2dcecbfc7b65790be7c78f13945776fe2ca4692fd3fe9cb83ab3ff19bb3724d248e3ad06e821f241f88e909b01a |
\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe
| MD5 | 1fa50a9e04bcb2a0c1a0f2207a790f87 |
| SHA1 | 0b635ab3963305920bc38fada7ea6b19f22ff80d |
| SHA256 | ea6d36128832517f0dc80d484d5bfa2743b81cf5fcd35eb55a5d81425c409952 |
| SHA512 | edc681eac890b0a0a20dc6e66c43a3e0b072c4931cd53453dc368af03a60fc2fd69591c0f6bf5119b3b9ed87083930c03b41e31f5d3f4db63c0514504af84515 |
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client1.exe
| MD5 | 686450ae4670a34ce50887e6cad59b33 |
| SHA1 | 87386f41e240c9d77a4ab86bfd5e8bb86479ca05 |
| SHA256 | c510955a49256a7e86cda23b6cdc4328f43bfa449f583f87c12e9e7d9e037435 |
| SHA512 | 1afee6ef90a3fa53533f50333f6068813741fa8173f500d6215feb1767a1c66a9bc24ab4aa8f35a042c006c1e3f61be3763f624985b0ba16ff98ef014f7b6cc7 |
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client.exe
| MD5 | 250c653e112343e53b5b7663106668b4 |
| SHA1 | 922c3645fde2ce0e8f61b466c436fc3b2461dbdb |
| SHA256 | 1e43894d0469a136302deb3e21cf15855e2845ef8f1cdab693afd29306fc28b4 |
| SHA512 | 61d23d0e4d278d794dc58b89ab31663f5b560cf0714520feba17baa6a0708aa2e5fb499a51a30a8e8236bdc52864bb697bbb6f2446a579dc586f6585e64a5233 |
memory/2664-19-0x0000000000400000-0x0000000000427000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp
| MD5 | d2481b1c46abfb624d42ef7de2571183 |
| SHA1 | 0662e0f372014783de00502baf777c89f319a2e9 |
| SHA256 | 5ce99063e4e9c1b4292e07c39732965ffdd96f0527c8a2d97fc904c01c3d6d94 |
| SHA512 | b8ec89ba2b98195dc26190a1ac0a950ed92061c837adbdda5496782aaf8fb1edc6d04c51c42d8c0f18d967cdf9a1f34ff27779c6eaecff36f961ab2d1909b08e |
memory/2972-28-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2840-29-0x0000000000F90000-0x0000000000FA2000-memory.dmp
memory/2840-30-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp
memory/2840-31-0x0000000000AC0000-0x0000000000B40000-memory.dmp
memory/2664-33-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2972-34-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp.bat
| MD5 | 09abbeff853b722961c30656792b3cbf |
| SHA1 | cd5de6c3f7a01ded8a34ac6435d6e38f33ffd318 |
| SHA256 | 7aad2b01648d04f8a2e33ae1096e13f6cf3d2660903d3b2e4138423484584359 |
| SHA512 | 9e193019631e4132334f707392cfe3ac08aaf6ceef113ded544e71e705e37d582a932c6b33cad6a9b65b7e1b5d9ae736fa0e75762396c047749194a53fbc60b9 |
memory/2840-44-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp
memory/604-49-0x0000000000F80000-0x0000000000F92000-memory.dmp
C:\Users\Admin\AppData\Roaming\scvhost.exe
| MD5 | c195edfce0578f293247176f7916ffea |
| SHA1 | 2995172d4fc6da48b2cd349f846dc44c4c8d092c |
| SHA256 | 6ecd3a1617ae5bfbb9a38d58d89f2fdad1654fa2cbf24509e37f770e192e90b9 |
| SHA512 | 6eabd344057ea105fed32ef5c0db519c88ee0eada6d5dd4cfa0a0451caa7739cb8e817645a7d395c092016e581e4a5ca98ea07872edf0e035eb6b2b7701f4059 |
memory/2972-51-0x0000000000240000-0x0000000000241000-memory.dmp
memory/604-52-0x000007FEF4850000-0x000007FEF523C000-memory.dmp
memory/604-53-0x000000001B0B0000-0x000000001B130000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarD975.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/604-95-0x000007FEF4850000-0x000007FEF523C000-memory.dmp
memory/604-96-0x000000001B0B0000-0x000000001B130000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 12:48
Reported
2024-04-10 12:51
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
AsyncRat
LimeRAT
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P861E.tmp\SocialExtractor.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Untitled1.bat" > NUL"
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe
SocialExtractor.exe
C:\Users\Admin\AppData\Roaming\Microsoft\client.exe
client.exe
C:\Users\Admin\AppData\Local\Temp\is-P861E.tmp\SocialExtractor.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P861E.tmp\SocialExtractor.tmp" /SL5="$A0030,1346769,130560,C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'scvhost"' /tr "'C:\Users\Admin\AppData\Roaming\scvhost.exe"'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp366D.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\scvhost.exe
"C:\Users\Admin\AppData\Roaming\scvhost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| FR | 51.254.177.155:5051 | tcp | |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| FR | 51.254.177.155:5051 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| FR | 51.254.177.155:5051 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FR | 51.254.177.155:5051 | tcp | |
| FR | 51.254.177.155:8091 | tcp | |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Untitled1.bat
| MD5 | c86aebc029adf9aaab1211939c01e999 |
| SHA1 | 93e408eb832c9c1ee60652cf2b5a2185c76f704d |
| SHA256 | 60ae8673855a220d7fe13b7f8a40669431682caac3a64d67cac7edf0f8030776 |
| SHA512 | 27505b95e93f91f0bd288ae2a4532ad041caa2dcecbfc7b65790be7c78f13945776fe2ca4692fd3fe9cb83ab3ff19bb3724d248e3ad06e821f241f88e909b01a |
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe
| MD5 | 1fa50a9e04bcb2a0c1a0f2207a790f87 |
| SHA1 | 0b635ab3963305920bc38fada7ea6b19f22ff80d |
| SHA256 | ea6d36128832517f0dc80d484d5bfa2743b81cf5fcd35eb55a5d81425c409952 |
| SHA512 | edc681eac890b0a0a20dc6e66c43a3e0b072c4931cd53453dc368af03a60fc2fd69591c0f6bf5119b3b9ed87083930c03b41e31f5d3f4db63c0514504af84515 |
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client1.exe
| MD5 | 686450ae4670a34ce50887e6cad59b33 |
| SHA1 | 87386f41e240c9d77a4ab86bfd5e8bb86479ca05 |
| SHA256 | c510955a49256a7e86cda23b6cdc4328f43bfa449f583f87c12e9e7d9e037435 |
| SHA512 | 1afee6ef90a3fa53533f50333f6068813741fa8173f500d6215feb1767a1c66a9bc24ab4aa8f35a042c006c1e3f61be3763f624985b0ba16ff98ef014f7b6cc7 |
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client.exe
| MD5 | 250c653e112343e53b5b7663106668b4 |
| SHA1 | 922c3645fde2ce0e8f61b466c436fc3b2461dbdb |
| SHA256 | 1e43894d0469a136302deb3e21cf15855e2845ef8f1cdab693afd29306fc28b4 |
| SHA512 | 61d23d0e4d278d794dc58b89ab31663f5b560cf0714520feba17baa6a0708aa2e5fb499a51a30a8e8236bdc52864bb697bbb6f2446a579dc586f6585e64a5233 |
memory/3944-13-0x0000000000400000-0x0000000000427000-memory.dmp
memory/4160-17-0x0000000000920000-0x0000000000932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-P861E.tmp\SocialExtractor.tmp
| MD5 | d2481b1c46abfb624d42ef7de2571183 |
| SHA1 | 0662e0f372014783de00502baf777c89f319a2e9 |
| SHA256 | 5ce99063e4e9c1b4292e07c39732965ffdd96f0527c8a2d97fc904c01c3d6d94 |
| SHA512 | b8ec89ba2b98195dc26190a1ac0a950ed92061c837adbdda5496782aaf8fb1edc6d04c51c42d8c0f18d967cdf9a1f34ff27779c6eaecff36f961ab2d1909b08e |
memory/4160-20-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp
memory/4928-22-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/4160-23-0x000000001B6F0000-0x000000001B700000-memory.dmp
memory/3944-25-0x0000000000400000-0x0000000000427000-memory.dmp
memory/4928-26-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4160-31-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp366D.tmp.bat
| MD5 | d433d30f68cccf130f60c22750d25412 |
| SHA1 | 51516ebf95699902c9a79bc50e6d253406f252e6 |
| SHA256 | f2944b0dd8de8e3946dcb9317d6a96bd9245764a50160a302e11402eaa89353f |
| SHA512 | 6a37f522ccdccb73797e17a021503438e8977a93702f1f2bfc8831ee8b46c066bdc70dba3eb8e644091913d6d825ab46db6c07d796f0f2c328b2e2dbaef4bea2 |
C:\Users\Admin\AppData\Roaming\scvhost.exe
| MD5 | ee46bb4ca1eaf7b6a4b8914880835314 |
| SHA1 | f30b7d41dbda86f12338c7a61e64dd7aa1ea915e |
| SHA256 | 972ff3699ae8d2c0f2b2ca52189223751ed57a9a7860bf71557041e4fc4accc4 |
| SHA512 | d7b10ddbf3ad3f36c4c9f6edd92e3ae8a9df304d0ca20ee7ca1c6f92e09f479f1ecca6b9a93ae2349c32253287e73f322bb6c8beb875e4a0d8e1559e307720d5 |
memory/3788-37-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp
memory/3788-40-0x0000000002E70000-0x0000000002E80000-memory.dmp
memory/4928-39-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/3788-45-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp
memory/3788-46-0x0000000002E70000-0x0000000002E80000-memory.dmp