Analysis Overview
SHA256
d4882f9891573b8583ce81aaf4658b8163c0731d7800a41f5146f4ce34f4c2cc
Threat Level: Known bad
The file 56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Remcos
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 21:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 21:39
Reported
2024-05-18 21:41
Platform
win7-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsock\\fuhMeWYHV1Cz.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | N/A |
Remcos
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2128 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
Files
memory/2128-0-0x0000000074EB1000-0x0000000074EB2000-memory.dmp
memory/2128-1-0x0000000074EB0000-0x000000007545B000-memory.dmp
memory/2128-2-0x0000000074EB0000-0x000000007545B000-memory.dmp
memory/2264-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-9-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-13-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2264-10-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-8-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-7-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-16-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-17-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-21-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-20-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-23-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2128-24-0x0000000074EB0000-0x000000007545B000-memory.dmp
memory/2264-26-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-28-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-30-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Roaming\winsock\data.dat
| MD5 | 2bebfbfe95c2ff4053fc8f98d169d71a |
| SHA1 | b842ec1dbf450f496d14cfef71d66da0e541317e |
| SHA256 | 0593ccc3fded5ff5edf1c1623402f012387f52d8427a0eb177b1e8bd329a484d |
| SHA512 | 2e8f2f0e399dcc43b2cd95f35295b6bb1a4554f8ba8e8bbaaa27ccf69656179fcdfd74db84eb87803782d375ac6990f1e8f087049dd0fbbdf3af2b462bf951a4 |
memory/2264-32-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-34-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-36-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-38-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-40-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-42-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-43-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-46-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-48-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-50-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 21:39
Reported
2024-05-18 21:41
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsock\\zybyDqyG0G4q.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | N/A |
Remcos
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 660 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56ed7755596cbebf5045b5ae092bd53e_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | ddns.rbs.pw | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/660-0-0x0000000074732000-0x0000000074733000-memory.dmp
memory/660-1-0x0000000074730000-0x0000000074CE1000-memory.dmp
memory/660-2-0x0000000074730000-0x0000000074CE1000-memory.dmp
memory/3624-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-7-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-9-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-12-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-13-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-15-0x0000000000400000-0x0000000000420000-memory.dmp
memory/660-16-0x0000000074730000-0x0000000074CE1000-memory.dmp
memory/660-17-0x0000000074732000-0x0000000074733000-memory.dmp
memory/660-18-0x0000000074730000-0x0000000074CE1000-memory.dmp
memory/3624-20-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-22-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-24-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Roaming\winsock\data.dat
| MD5 | 423a05d36ba0625f6d3f8f298108be00 |
| SHA1 | abed2a68ecc7d6a2c2bb74c186cbff81f153e64e |
| SHA256 | 7889b00af783f4d30fe95e85eb2d02019840a06f59f1963cee6ecde59af84f29 |
| SHA512 | 1d28046b6e4684c36cec20c5998c423bf2a766c08c2acb3e4ca1704135e692b9d044bdc69d28913d7cf3e1061ec20d51b5893eb75e321bdc4786a408e520fa89 |
memory/3624-26-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-28-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-30-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-32-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-34-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-36-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-38-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-40-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-42-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-44-0x0000000000400000-0x0000000000420000-memory.dmp