Analysis Overview
SHA256
3c966798000d94713c63bbf32a52284ccd82811ae6dcb370cd075855010f9e34
Threat Level: Known bad
The file 1a0825f4897c1dcf8e535685621556fe_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 01:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 01:04
Reported
2024-05-06 01:06
Platform
win7-20240220-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2184 set thread context of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe |
| PID 2184 set thread context of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B00.tmp"
Network
| Country | Destination | Domain | Proto |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp |
Files
memory/2184-0-0x000000007413E000-0x000000007413F000-memory.dmp
memory/2184-1-0x00000000009D0000-0x0000000000ABE000-memory.dmp
memory/2184-2-0x00000000005E0000-0x00000000005E8000-memory.dmp
memory/2184-3-0x00000000006C0000-0x0000000000722000-memory.dmp
memory/2184-4-0x00000000008C0000-0x00000000008E8000-memory.dmp
memory/2184-6-0x0000000074130000-0x000000007481E000-memory.dmp
memory/2184-7-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-8-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-26-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-10-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-12-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-14-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-16-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-18-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-58-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-60-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-20-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-22-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-24-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-42-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-70-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-73-0x0000000074130000-0x000000007481E000-memory.dmp
memory/2184-68-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-66-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-64-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-62-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-56-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-55-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-52-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-50-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-48-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-46-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-44-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-40-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-38-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-36-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-34-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-32-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-30-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-28-0x00000000008C0000-0x00000000008E1000-memory.dmp
memory/2184-74-0x0000000000920000-0x0000000000958000-memory.dmp
memory/2456-87-0x0000000074130000-0x000000007481E000-memory.dmp
memory/1724-100-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1724-101-0x0000000074130000-0x000000007481E000-memory.dmp
memory/1724-102-0x0000000074130000-0x000000007481E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1B00.tmp
| MD5 | 779b93dce4b119f3c6a6a9678d33cbdb |
| SHA1 | 7b70a8f6490885acc9b4f725d5a36d869951400b |
| SHA256 | aebf4f6c2f58eceb924d4a3988824d58e7e44c8e6d31f7a1da761438fa59f129 |
| SHA512 | 346f777e8535c10ad2eeacb06023f026f194930af91c7a958a659e6fe63bcb34bbc788d322b0559aead0aecf8576dcc5f61f3ec7434ecd2dc51e751e7f13dd91 |
memory/1724-107-0x0000000000480000-0x000000000048A000-memory.dmp
memory/1724-108-0x00000000005F0000-0x000000000060E000-memory.dmp
memory/1724-109-0x0000000000490000-0x000000000049A000-memory.dmp
memory/2184-110-0x000000007413E000-0x000000007413F000-memory.dmp
memory/2184-111-0x0000000074130000-0x000000007481E000-memory.dmp
memory/2184-112-0x0000000074130000-0x000000007481E000-memory.dmp
memory/2456-113-0x0000000074130000-0x000000007481E000-memory.dmp
memory/1724-114-0x0000000074130000-0x000000007481E000-memory.dmp
memory/1724-115-0x0000000074130000-0x000000007481E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-06 01:04
Reported
2024-05-06 01:06
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3540 set thread context of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe |
| PID 3540 set thread context of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe
"1a0825f4897c1dcf8e535685621556fe_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| EE | 91.193.75.199:5449 | tcp | |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| EE | 91.193.75.199:5449 | tcp | |
| US | 8.8.8.8:53 | 88.121.18.2.in-addr.arpa | udp |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| EE | 91.193.75.199:5449 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| EE | 91.193.75.199:5449 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp | |
| EE | 91.193.75.199:5449 | tcp |
Files
memory/3540-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/3540-1-0x0000000000AC0000-0x0000000000BAE000-memory.dmp
memory/3540-2-0x00000000059D0000-0x0000000005EFC000-memory.dmp
memory/3540-3-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/3540-4-0x00000000054E0000-0x00000000054E8000-memory.dmp
memory/3540-5-0x00000000056E0000-0x0000000005742000-memory.dmp
memory/3540-6-0x0000000005740000-0x0000000005768000-memory.dmp
memory/3540-15-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-69-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-74-0x0000000005930000-0x00000000059CC000-memory.dmp
memory/3540-75-0x00000000058A0000-0x00000000058D8000-memory.dmp
memory/3540-29-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-71-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-67-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-65-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-63-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-61-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-59-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-57-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-55-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-53-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-51-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-49-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-47-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-45-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-43-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-41-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-39-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-37-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-35-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-33-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-25-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-21-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-17-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-31-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-27-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-24-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-19-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-13-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-11-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-9-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-8-0x0000000005740000-0x0000000005761000-memory.dmp
memory/3540-77-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/1144-79-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1144-80-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/1144-81-0x0000000005A90000-0x0000000006034000-memory.dmp
memory/1144-82-0x00000000055C0000-0x0000000005652000-memory.dmp
memory/1144-83-0x0000000005590000-0x000000000559A000-memory.dmp
memory/1144-84-0x0000000074A10000-0x00000000751C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp
| MD5 | 779b93dce4b119f3c6a6a9678d33cbdb |
| SHA1 | 7b70a8f6490885acc9b4f725d5a36d869951400b |
| SHA256 | aebf4f6c2f58eceb924d4a3988824d58e7e44c8e6d31f7a1da761438fa59f129 |
| SHA512 | 346f777e8535c10ad2eeacb06023f026f194930af91c7a958a659e6fe63bcb34bbc788d322b0559aead0aecf8576dcc5f61f3ec7434ecd2dc51e751e7f13dd91 |
memory/1144-89-0x0000000005790000-0x000000000579A000-memory.dmp
memory/1144-90-0x00000000057A0000-0x00000000057BE000-memory.dmp
memory/1144-91-0x0000000005A80000-0x0000000005A8A000-memory.dmp
memory/3540-92-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/3540-93-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/3540-94-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/1144-95-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/1144-96-0x0000000074A10000-0x00000000751C0000-memory.dmp