Analysis Overview
SHA256
cc355b38337412c3e3c0269dcd4c9211fd3d89893479380143a9e135be445cbb
Threat Level: Known bad
The file f84639b1a82e588933fefaf668225dfc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-18 15:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 15:14
Reported
2024-04-18 15:17
Platform
win7-20240215-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\SysWOW64\csrs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\csrs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
| File created | C:\Windows\SysWOW64\csrs.exe | C:\Windows\SysWOW64\csrs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 636 "C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 692 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 688 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 704 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 708 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 684 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 700 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 712 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 720 "C:\Windows\SysWOW64\csrs.exe"
C:\Windows\SysWOW64\csrs.exe
C:\Windows\system32\csrs.exe 716 "C:\Windows\SysWOW64\csrs.exe"
Network
Files
memory/2132-0-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2132-14-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/2132-18-0x0000000003DB0000-0x0000000003DB1000-memory.dmp
memory/2132-17-0x0000000003CD0000-0x0000000003CD1000-memory.dmp
memory/2132-16-0x0000000003CC0000-0x0000000003CC1000-memory.dmp
memory/2132-15-0x0000000003DC0000-0x0000000003DC2000-memory.dmp
memory/2132-13-0x0000000003CA0000-0x0000000003CA1000-memory.dmp
memory/2132-12-0x0000000003C80000-0x0000000003C81000-memory.dmp
memory/2132-11-0x0000000003D10000-0x0000000003D11000-memory.dmp
memory/2132-10-0x0000000003C90000-0x0000000003C91000-memory.dmp
memory/2132-9-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/2132-8-0x0000000003D90000-0x0000000003D91000-memory.dmp
memory/2132-7-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
memory/2132-6-0x0000000003DF0000-0x0000000003DF1000-memory.dmp
memory/2132-5-0x0000000003DE0000-0x0000000003DE2000-memory.dmp
memory/2132-1-0x0000000000400000-0x00000000005D8000-memory.dmp
\Windows\SysWOW64\csrs.exe
| MD5 | f84639b1a82e588933fefaf668225dfc |
| SHA1 | e74f65e5b1a461f4cf785f2de51f2b55da19ea07 |
| SHA256 | cc355b38337412c3e3c0269dcd4c9211fd3d89893479380143a9e135be445cbb |
| SHA512 | fa598f258f0c85bca7f1ded374798f1a47612e2ad5c7647f978f06e1a8a4ccebc9e4d9ee02807c33a9abe3d2fc51bd30fc9708a9757c466e9bf6eb9bb034fd9b |
memory/2132-20-0x00000000048C0000-0x0000000004A98000-memory.dmp
memory/2488-27-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2488-28-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2488-30-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/2488-31-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
memory/2488-29-0x0000000003DF0000-0x0000000003DF2000-memory.dmp
memory/2488-33-0x0000000003E10000-0x0000000003E11000-memory.dmp
memory/2488-32-0x0000000003DA0000-0x0000000003DA1000-memory.dmp
memory/2488-34-0x0000000000760000-0x0000000000761000-memory.dmp
memory/2488-35-0x0000000003D60000-0x0000000003D61000-memory.dmp
memory/2488-36-0x0000000000770000-0x0000000000771000-memory.dmp
memory/2488-38-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/2488-39-0x0000000003DD0000-0x0000000003DD2000-memory.dmp
memory/2488-37-0x0000000003D40000-0x0000000003D41000-memory.dmp
memory/2488-40-0x0000000003DE0000-0x0000000003DE1000-memory.dmp
memory/2488-41-0x0000000003CC0000-0x0000000003CC1000-memory.dmp
memory/2488-42-0x0000000003CD0000-0x0000000003CD1000-memory.dmp
memory/2132-44-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2488-45-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2464-51-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2488-50-0x0000000003DC0000-0x0000000003DC1000-memory.dmp
memory/2488-49-0x0000000003D50000-0x0000000003D51000-memory.dmp
memory/2464-52-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2464-66-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/2464-65-0x0000000003DA0000-0x0000000003DA1000-memory.dmp
memory/2488-68-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2464-69-0x0000000000890000-0x0000000000891000-memory.dmp
memory/2464-64-0x0000000003D90000-0x0000000003D92000-memory.dmp
memory/2464-63-0x0000000000680000-0x0000000000681000-memory.dmp
memory/2464-62-0x0000000000670000-0x0000000000671000-memory.dmp
memory/2464-61-0x0000000003D10000-0x0000000003D11000-memory.dmp
memory/2464-60-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2464-59-0x0000000003D20000-0x0000000003D21000-memory.dmp
memory/2464-58-0x0000000000660000-0x0000000000661000-memory.dmp
memory/2464-57-0x0000000003DD0000-0x0000000003DD1000-memory.dmp
memory/2464-56-0x0000000003D60000-0x0000000003D61000-memory.dmp
memory/2464-55-0x00000000008B0000-0x00000000008B1000-memory.dmp
memory/2464-54-0x0000000003DC0000-0x0000000003DC1000-memory.dmp
memory/2464-53-0x0000000003DB0000-0x0000000003DB2000-memory.dmp
memory/2464-70-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2464-73-0x0000000003D80000-0x0000000003D81000-memory.dmp
memory/2464-75-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/620-76-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/620-80-0x0000000003CF0000-0x0000000003CF1000-memory.dmp
memory/620-79-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/620-83-0x0000000000A10000-0x0000000000A11000-memory.dmp
memory/620-81-0x0000000003D60000-0x0000000003D61000-memory.dmp
memory/620-84-0x0000000003D30000-0x0000000003D31000-memory.dmp
memory/620-82-0x0000000003E10000-0x0000000003E11000-memory.dmp
memory/620-78-0x0000000003DF0000-0x0000000003DF2000-memory.dmp
memory/620-77-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/620-94-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/620-116-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2344-117-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2832-142-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2672-165-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/1224-188-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/1512-210-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/560-233-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/2820-255-0x0000000000400000-0x00000000005D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-18 15:14
Reported
2024-04-18 15:17
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f84639b1a82e588933fefaf668225dfc_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3088-0-0x0000000000400000-0x00000000005D8000-memory.dmp
memory/3088-1-0x0000000000400000-0x00000000005D8000-memory.dmp