Malware Analysis Report

2025-01-03 08:09

Sample ID 240419-2a2s3sha84
Target fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118
SHA256 45ae919666be18fbb9a86eba7731513b8ba187252392cf68f5846e925955f2c8
Tags
metasploit backdoor evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45ae919666be18fbb9a86eba7731513b8ba187252392cf68f5846e925955f2c8

Threat Level: Known bad

The file fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence spyware stealer trojan

MetaSploit

Modifies Installed Components in the registry

Disables taskbar notifications via registry modification

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 22:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 22:23

Reported

2024-04-19 22:26

Platform

win7-20240221-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Disables taskbar notifications via registry modification

evasion

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rsoelet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\fjh.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fjh.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\DefaultIcon C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\ = "Application" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" C:\Users\Admin\AppData\Local\fjh.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fjh.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\runas\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\start\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\ = "Application" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\DefaultIcon C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\ = "exefile" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\start C:\Users\Admin\AppData\Local\fjh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open C:\Users\Admin\AppData\Local\fjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fjh.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\fjh.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rsoelet.exe
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rsoelet.exe
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rsoelet.exe
PID 2808 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rsoelet.exe
PID 2808 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe
PID 2808 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe
PID 2808 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe
PID 2808 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe
PID 1056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\rsoelet.exe C:\Users\Admin\AppData\Local\fjh.exe
PID 1056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\rsoelet.exe C:\Users\Admin\AppData\Local\fjh.exe
PID 1056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\rsoelet.exe C:\Users\Admin\AppData\Local\fjh.exe
PID 1056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\rsoelet.exe C:\Users\Admin\AppData\Local\fjh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\rsoelet.exe

C:\Users\Admin\AppData\Local\Temp\rsoelet.exe

C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe

C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe

C:\Users\Admin\AppData\Local\fjh.exe

"C:\Users\Admin\AppData\Local\fjh.exe" -gav C:\Users\Admin\AppData\Local\Temp\rsoelet.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
IR 86.55.210.72:80 tcp
US 8.8.8.8:53 wokikywalonez.com udp
US 8.8.8.8:53 jukecoruvut.com udp
US 8.8.8.8:53 xifuzakotyk.com udp
US 8.8.8.8:53 qukocacilogoti.com udp
US 8.8.8.8:53 xajizukoxo.com udp
US 8.8.8.8:53 nymemuhoseran.com udp
US 8.8.8.8:53 vefyqylepahuga.com udp
US 8.8.8.8:53 semuvajako.com udp
US 8.8.8.8:53 tuwifotiju.com udp
US 8.8.8.8:53 baxivenom.com udp
US 8.8.8.8:53 rydoryxowokic.com udp
US 8.8.8.8:53 pipugodupexug.com udp
US 8.8.8.8:53 zelabuhib.com udp
US 8.8.8.8:53 jacumegekij.com udp
US 8.8.8.8:53 wihoraqite.com udp
US 8.8.8.8:53 bisyvoqyxymyqi.com udp
US 8.8.8.8:53 cudokopipi.com udp
US 8.8.8.8:53 dowemawema.com udp
US 8.8.8.8:53 syfurojoxereku.com udp
US 8.8.8.8:53 fakovuhuju.com udp
US 8.8.8.8:53 qovukezur.com udp
US 8.8.8.8:53 cuneqyqetyroj.com udp
US 8.8.8.8:53 dytebyhekaqa.com udp
US 8.8.8.8:53 takywegywejesy.com udp
US 8.8.8.8:53 zelokovixoqe.com udp
US 8.8.8.8:53 hebypudukotih.com udp
US 8.8.8.8:53 qamezeqyce.com udp
US 8.8.8.8:53 gasicekymas.com udp
US 8.8.8.8:53 qozohyhobuci.com udp
US 8.8.8.8:53 punanufawenyk.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 fojexojup.com udp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 bafihamuxav.com udp
IR 86.55.210.72:80 tcp
US 8.8.8.8:53 johunyniv.com udp
US 8.8.8.8:53 nixecynuho.com udp
US 8.8.8.8:53 vehepumac.com udp
DE 91.217.162.20:80 tcp
US 8.8.8.8:53 bucoqypynynej.com udp
US 8.8.8.8:53 ronadosim.com udp
US 8.8.8.8:53 fifotojylahe.com udp
DE 91.217.162.20:80 tcp
US 8.8.8.8:53 zizudadidura.com udp
US 8.8.8.8:53 gilodivere.com udp
US 8.8.8.8:53 wiqesidavevod.com udp
US 8.8.8.8:53 cagolasevaj.com udp
US 8.8.8.8:53 bakubuniho.com udp
US 8.8.8.8:53 zizyhaqizod.com udp
US 8.8.8.8:53 tedowuveqakej.com udp
US 8.8.8.8:53 luqotazih.com udp
US 8.8.8.8:53 xeruraxagum.com udp
US 8.8.8.8:53 geduhijykes.com udp
US 8.8.8.8:53 bigoxefyfaluh.com udp
US 8.8.8.8:53 ranamujesu.com udp

Files

\Users\Admin\AppData\Local\Temp\rsoelet.exe

MD5 1482cf184afd0e7f9c59c42382201b4a
SHA1 baff10fb5f766f6c49ad27288f7e221428f17c37
SHA256 37d470d9d2088b24a73b885f2fe6ce52eabec12919756a4c6d06e7ea5b6d70ef
SHA512 62ab5bd47695a3ee92a280ffe380487840c888d647e3a06bc45c909ae40dbdb8d688963342fa060f2ecfd9a1f922a8d2f471ea6fc5b586bcdb2ed33b603b1ebc

C:\Users\Admin\AppData\Local\Temp\dkpeeqj.exe

MD5 6b0d03f641ee2a2401bef42da22fde1a
SHA1 a55c2a62c3d15f89673364fab8b820e1fe66262c
SHA256 1558d850b6f28eea5684a196966bcbf06aac0ac3abdb86b571355ca41f216481
SHA512 4a0fb4da35725b7657e8510bc8767f3695f2bb327c54a2202d68339f60e05675887d1afd9f506435f4bb9f200c6ef82c55b4cfb4eb9841aa3deaac3169a0ccf3

memory/1056-13-0x0000000000230000-0x000000000023B000-memory.dmp

memory/1056-14-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2220-15-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2220-16-0x0000000000360000-0x00000000003A2000-memory.dmp

memory/1056-20-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/1056-17-0x0000000001E50000-0x0000000002107000-memory.dmp

memory/2220-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1056-30-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-32-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2220-33-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2516-34-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/2620-35-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-36-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-37-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-38-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2516-39-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/2620-40-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-41-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-45-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-46-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2220-47-0x0000000000360000-0x00000000003A2000-memory.dmp

memory/2620-48-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-49-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-50-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-51-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2620-52-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/2516-53-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 22:23

Reported

2024-04-19 22:26

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\awcidr.exe

C:\Users\Admin\AppData\Local\Temp\awcidr.exe

C:\Users\Admin\AppData\Local\Temp\htcf.exe

C:\Users\Admin\AppData\Local\Temp\htcf.exe

Network

Country Destination Domain Proto
IR 86.55.210.72:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
DE 91.217.162.20:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\awcidr.exe

MD5 1482cf184afd0e7f9c59c42382201b4a
SHA1 baff10fb5f766f6c49ad27288f7e221428f17c37
SHA256 37d470d9d2088b24a73b885f2fe6ce52eabec12919756a4c6d06e7ea5b6d70ef
SHA512 62ab5bd47695a3ee92a280ffe380487840c888d647e3a06bc45c909ae40dbdb8d688963342fa060f2ecfd9a1f922a8d2f471ea6fc5b586bcdb2ed33b603b1ebc

C:\Users\Admin\AppData\Local\Temp\htcf.exe

MD5 6b0d03f641ee2a2401bef42da22fde1a
SHA1 a55c2a62c3d15f89673364fab8b820e1fe66262c
SHA256 1558d850b6f28eea5684a196966bcbf06aac0ac3abdb86b571355ca41f216481
SHA512 4a0fb4da35725b7657e8510bc8767f3695f2bb327c54a2202d68339f60e05675887d1afd9f506435f4bb9f200c6ef82c55b4cfb4eb9841aa3deaac3169a0ccf3

memory/408-8-0x0000000000600000-0x000000000060B000-memory.dmp

memory/408-9-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/4116-10-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4116-11-0x0000000000590000-0x00000000005D2000-memory.dmp

memory/4116-12-0x0000000000400000-0x0000000000442000-memory.dmp

memory/408-13-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/408-17-0x0000000000400000-0x00000000005F5000-memory.dmp

memory/408-18-0x00000000024D0000-0x0000000002787000-memory.dmp

memory/4116-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4116-20-0x0000000000590000-0x00000000005D2000-memory.dmp