Analysis Overview
SHA256
21f1f3f4d6eb97956fdb931880e53f91c45abf0f823b8860974839ab01f464d4
Threat Level: Known bad
The file 40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates processes with tasklist
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
outlook_office_path
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-13 16:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 16:00
Reported
2024-05-13 16:03
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2456 set thread context of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 636
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\8ec14fd6fb42aa53138a59d5ce5af0a4\processes.txt"
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO TABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2456-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2456-1-0x000000000F020000-0x000000000F146000-memory.dmp
memory/2456-2-0x0000000000380000-0x0000000000388000-memory.dmp
memory/2456-3-0x00000000046B0000-0x00000000047A2000-memory.dmp
memory/2456-4-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2480-6-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-12-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-16-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2480-38-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2480-37-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-35-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-34-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-32-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-29-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-28-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-26-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-24-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-23-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-22-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-21-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-20-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-19-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-18-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-9-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-8-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-7-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-14-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2480-39-0x0000000074B20000-0x000000007520E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\8ec14fd6fb42aa53138a59d5ce5af0a4\processes.txt
| MD5 | ac2288f51d4dca36eacd829dfd257238 |
| SHA1 | 3781515d6f965e49b5c885205b95023161a89c7c |
| SHA256 | d0e669cdddaad6464d828e0e1cf3d05995c7ee626ac7155193f3bb1377a8fda9 |
| SHA512 | 0f84fbf043be0e11720bcac11fc212fb9ed5bda62934e69a62ed163ca0eda393aaab364e4388550f009dc00477ebbf4f0fde48877aac41c3d17687c5d05c0012 |
memory/2480-72-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2456-73-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2456-74-0x0000000074B20000-0x000000007520E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 16:00
Reported
2024-05-13 16:03
Platform
win10v2004-20240508-en
Max time kernel
95s
Max time network
126s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4264 set thread context of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40469bb82dc14a99ae488dcf2757fcfe_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\66b8852ca38906a5b7a713b8d7da0510\processes.txt"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4264 -ip 4264
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\tasklist.exe
tasklist /FO TABLE
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1044
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4264-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp
memory/4264-1-0x00000000003C0000-0x00000000004E6000-memory.dmp
memory/4264-2-0x0000000000E60000-0x0000000000E68000-memory.dmp
memory/4264-3-0x0000000004E30000-0x0000000004ECC000-memory.dmp
memory/4264-4-0x0000000004ED0000-0x0000000004FC2000-memory.dmp
memory/4264-5-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/2072-7-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-26-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-29-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/2072-28-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-25-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-30-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/2072-33-0x0000000005EB0000-0x0000000005F16000-memory.dmp
memory/2072-32-0x0000000005DC0000-0x0000000005DD2000-memory.dmp
memory/2072-31-0x0000000005D90000-0x0000000005D9A000-memory.dmp
memory/2072-23-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-20-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-19-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-17-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-15-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-14-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-13-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-12-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-11-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-10-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-9-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2072-42-0x00000000064C0000-0x0000000006552000-memory.dmp
memory/2072-43-0x0000000006B10000-0x00000000070B4000-memory.dmp
memory/4264-46-0x0000000074A50000-0x0000000075200000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\66b8852ca38906a5b7a713b8d7da0510\processes.txt
| MD5 | fd5d15e7b0f1c8437ed9132e84a7fe55 |
| SHA1 | e13aafc0fd0ef11bd099439d74530ce849087e53 |
| SHA256 | f27545f095b6c270e2af7de42dda622336cd7fe715e575194d197327f7d2b025 |
| SHA512 | b6792276fd2a8ead1889d79092f3a2d794d4e49aa62c145f84cc41ac80ccb39f3c8c99f2c41a1b9f2ee2438832584ba62709fe4f01763cc0a24a6ccfd2401e99 |
memory/2072-72-0x0000000074A50000-0x0000000075200000-memory.dmp