Analysis Overview
SHA256
763a5e112a2cac4106ceba50be268c204883c12dad474571d0f06bfeb2db28a6
Threat Level: Known bad
The file 61201493419f2cfd038edd380361f70e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Manipulates Digital Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 22:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 22:27
Reported
2024-05-20 22:30
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 320 set thread context of 1128 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61201493419f2cfd038edd380361f70e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61201493419f2cfd038edd380361f70e_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo jNpILxZa
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < kdDDQohzzOeDMawC.com
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\PING.EXE
ping -n 1 HLDhP.Trej
C:\Windows\SysWOW64\certutil.exe
certutil -decode oakwUjXu.com Q
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com
dllhost.com Q
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com Q
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 1128 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1128
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | HLDhP.Trej | udp |
| US | 8.8.8.8:53 | iUNusFx.iUNusFx | udp |
| RU | 195.2.78.55:81 | tcp | |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 54.72.200.208:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | whois.iana.org | udp |
| US | 192.0.32.59:43 | whois.iana.org | tcp |
| US | 8.8.8.8:53 | WHOIS.LACNIC.NET | udp |
| BR | 200.3.14.149:43 | WHOIS.LACNIC.NET | tcp |
| US | 8.8.8.8:53 | www.geoplugin.net | udp |
| NL | 178.237.33.50:80 | www.geoplugin.net | tcp |
| RU | 195.2.78.55:81 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\kdDDQohzzOeDMawC.com
| MD5 | 9919b22087c6d3abcb33c95c85cd1a72 |
| SHA1 | d4bd348f984d2685e0bfc3c8575df11c7767dd09 |
| SHA256 | 473fb806481b1fac8b0ecfe4d96c645630d685aba857fa9a6b556874255f1450 |
| SHA512 | 00fc7e50ffe66097101813ac408a1598d85a855326410677ad4adb2ecf82b94c8168b5d45205a910d1613ae824dd1630d38cc12d0d7fa801cd2f5541532c50fe |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ElwQXJLljZ.com
| MD5 | 392e5cc019e763f0019337277db81081 |
| SHA1 | 9402765f17c7e2b0cf15520ffef56476a855ab2c |
| SHA256 | 852ed04ac131800dae464471a51a7d54063dad88ce1ebab7ce22fcab66900d01 |
| SHA512 | 4e0de123e4ff6f40bacded145bc0505a73a2cf39ff01878b8703b1dd6fc0059d4ce1e39c0d6043b389b7ecee0126e326c6e258b0bf472bf297179b3b945db553 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\oakwUjXu.com
| MD5 | 93169ee2c69f8ec0c1fa0772d3227422 |
| SHA1 | 3988c594382f0dda573da6f037bbb5e205ae9be3 |
| SHA256 | d6577ca47801a85d9a5e7a80425934aa6c43b743d1115ad09f798f3be5c194a8 |
| SHA512 | 0ba7ac9246d006b203156b6d5f9b6a096adfa76ab5544b62ca05ba91c1f138aec61a241cf015cbc61cb49cb7bb1fef2768403f2c51d5ea27ee410073d54710dd |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com
| MD5 | 7098bdf41092092927874259196e5d80 |
| SHA1 | 7ed19875c88e93fe3c0cc38b8bff56c61d0a8307 |
| SHA256 | 140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558 |
| SHA512 | dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Q
| MD5 | e20e62330bad6efc86c7d14843cb7f88 |
| SHA1 | 307e83a8831ca201aa54cd43baa615eb73e01559 |
| SHA256 | 60a4c7b8bae6be0f25c19d9e7af3934984b1027d3c159277f0e2af25365fed24 |
| SHA512 | e824d53c9fa44c2c9ebbe0c476ebf82b4509343f8dc11bad312dc5bf0997dee301dc60b1d5a9b385fa1297b4b74d5cdb3960733ea72ce815bfd964dc0f0d70fb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ZjhzASQfbvkXa.com
| MD5 | 6d37a4edfc74a1e6048dff3905869a6f |
| SHA1 | 0689d0c8794154013632f9dd0303b9cdc54b1114 |
| SHA256 | 7c4736bb159e8e383178028590da6eeb38182247203c0da89b7ec2ca39e57fb8 |
| SHA512 | 3d9cec9585a0f8eeb1b566299b351dcc6fab6dc02edaa02b51af2dbcf3f6190d395b83281bc129ef91bd44824ece8e5eaa7b96248d4ae3330db20fadd83e68e2 |
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | b6be4f2d0c69bf65311e416288f558ec |
| SHA1 | 5f9789d858cd5803083c2905385972c4075ff536 |
| SHA256 | faa55046454144bd6160bbc449610d29671bd1456afd5c4fdce66a71628b6f60 |
| SHA512 | 4fcba9ace47f9aeec9ac5ad778328a9018704a6b57e24aa965cc3c01109f553e3319f79b8566d9cf32ac814ba7b503b4954d250f7ff1d09d75c5ab74b8553aaa |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/1128-36-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1128-39-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1128-38-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB5D9.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarB6DA.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3563fa42e154e82ad2e521cd8b73f9a9 |
| SHA1 | 30570dd0f164dba91b365851e892afba47a00b34 |
| SHA256 | 4a820baf6453de0f30f0141e74fcfebd596cf33dd5d6172a4e4d0e0c611a103a |
| SHA512 | 0955582bbb85fc4949dafb08e5ab13767a10dddddf29d6a3dc1ca6bf696b4d45c5362eb99d24e45e82300ecfed6e9b9ed60391c28ba92d81c13ac2b17d0d6774 |
C:\Users\Admin\AppData\Local\Temp\tmpD2EE.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpD2ED.tmp
| MD5 | 511473ed599ffee4318413791fab1de9 |
| SHA1 | c1f0856d731676e528c24ae89c8a67c5d4193d8a |
| SHA256 | f9cf0de51a3a613de3ff44affffe58ee4b5124c42ce4b2bb8a4cebe7516faafc |
| SHA512 | 242155b015ac845cdd04dcf7efc6d88b612904ebae1d49df10fe3f3dc0b11b4e40541e0612b30f4105183dbfbba6ec0a9be9ddf4890dfbb236ebcc00dda3ef78 |
C:\Users\Admin\AppData\Local\Temp\tmpD304.tmp
| MD5 | 18e04095708297d6889a6962f81e8d8f |
| SHA1 | 9a25645db1da0217092c06579599b04982192124 |
| SHA256 | 4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7 |
| SHA512 | 45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 22:27
Reported
2024-05-20 22:30
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\61201493419f2cfd038edd380361f70e_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4068 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61201493419f2cfd038edd380361f70e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61201493419f2cfd038edd380361f70e_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo jNpILxZa
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < kdDDQohzzOeDMawC.com
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\PING.EXE
ping -n 1 HLDhP.Trej
C:\Windows\SysWOW64\certutil.exe
certutil -decode oakwUjXu.com Q
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com
dllhost.com Q
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com Q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 2912 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2912
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | HLDhP.Trej | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iUNusFx.iUNusFx | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| RU | 195.2.78.55:81 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 54.72.101.164:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | whois.iana.org | udp |
| US | 192.0.32.59:43 | whois.iana.org | tcp |
| US | 8.8.8.8:53 | 164.101.72.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | WHOIS.LACNIC.NET | udp |
| BR | 200.3.14.151:43 | WHOIS.LACNIC.NET | tcp |
| US | 8.8.8.8:53 | 59.32.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.geoplugin.net | udp |
| NL | 178.237.33.50:80 | www.geoplugin.net | tcp |
| US | 8.8.8.8:53 | 151.14.3.200.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| RU | 195.2.78.55:81 | tcp | |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\kdDDQohzzOeDMawC.com
| MD5 | 9919b22087c6d3abcb33c95c85cd1a72 |
| SHA1 | d4bd348f984d2685e0bfc3c8575df11c7767dd09 |
| SHA256 | 473fb806481b1fac8b0ecfe4d96c645630d685aba857fa9a6b556874255f1450 |
| SHA512 | 00fc7e50ffe66097101813ac408a1598d85a855326410677ad4adb2ecf82b94c8168b5d45205a910d1613ae824dd1630d38cc12d0d7fa801cd2f5541532c50fe |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ElwQXJLljZ.com
| MD5 | 392e5cc019e763f0019337277db81081 |
| SHA1 | 9402765f17c7e2b0cf15520ffef56476a855ab2c |
| SHA256 | 852ed04ac131800dae464471a51a7d54063dad88ce1ebab7ce22fcab66900d01 |
| SHA512 | 4e0de123e4ff6f40bacded145bc0505a73a2cf39ff01878b8703b1dd6fc0059d4ce1e39c0d6043b389b7ecee0126e326c6e258b0bf472bf297179b3b945db553 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\oakwUjXu.com
| MD5 | 93169ee2c69f8ec0c1fa0772d3227422 |
| SHA1 | 3988c594382f0dda573da6f037bbb5e205ae9be3 |
| SHA256 | d6577ca47801a85d9a5e7a80425934aa6c43b743d1115ad09f798f3be5c194a8 |
| SHA512 | 0ba7ac9246d006b203156b6d5f9b6a096adfa76ab5544b62ca05ba91c1f138aec61a241cf015cbc61cb49cb7bb1fef2768403f2c51d5ea27ee410073d54710dd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dllhost.com
| MD5 | 7098bdf41092092927874259196e5d80 |
| SHA1 | 7ed19875c88e93fe3c0cc38b8bff56c61d0a8307 |
| SHA256 | 140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558 |
| SHA512 | dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Q
| MD5 | e20e62330bad6efc86c7d14843cb7f88 |
| SHA1 | 307e83a8831ca201aa54cd43baa615eb73e01559 |
| SHA256 | 60a4c7b8bae6be0f25c19d9e7af3934984b1027d3c159277f0e2af25365fed24 |
| SHA512 | e824d53c9fa44c2c9ebbe0c476ebf82b4509343f8dc11bad312dc5bf0997dee301dc60b1d5a9b385fa1297b4b74d5cdb3960733ea72ce815bfd964dc0f0d70fb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ZjhzASQfbvkXa.com
| MD5 | 6d37a4edfc74a1e6048dff3905869a6f |
| SHA1 | 0689d0c8794154013632f9dd0303b9cdc54b1114 |
| SHA256 | 7c4736bb159e8e383178028590da6eeb38182247203c0da89b7ec2ca39e57fb8 |
| SHA512 | 3d9cec9585a0f8eeb1b566299b351dcc6fab6dc02edaa02b51af2dbcf3f6190d395b83281bc129ef91bd44824ece8e5eaa7b96248d4ae3330db20fadd83e68e2 |
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | b6be4f2d0c69bf65311e416288f558ec |
| SHA1 | 5f9789d858cd5803083c2905385972c4075ff536 |
| SHA256 | faa55046454144bd6160bbc449610d29671bd1456afd5c4fdce66a71628b6f60 |
| SHA512 | 4fcba9ace47f9aeec9ac5ad778328a9018704a6b57e24aa965cc3c01109f553e3319f79b8566d9cf32ac814ba7b503b4954d250f7ff1d09d75c5ab74b8553aaa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/2912-31-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2912-34-0x00000000056F0000-0x0000000005D08000-memory.dmp
memory/2912-35-0x0000000005040000-0x0000000005052000-memory.dmp
memory/2912-36-0x00000000050D0000-0x000000000510C000-memory.dmp
memory/2912-37-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/2912-38-0x0000000005340000-0x000000000544A000-memory.dmp
memory/2912-39-0x0000000005FF0000-0x0000000006082000-memory.dmp
memory/2912-40-0x0000000006640000-0x0000000006BE4000-memory.dmp
memory/2912-41-0x0000000006460000-0x0000000006622000-memory.dmp
memory/2912-42-0x0000000007120000-0x000000000764C000-memory.dmp
memory/2912-43-0x0000000006BF0000-0x0000000006C56000-memory.dmp
memory/2912-44-0x0000000008300000-0x0000000008350000-memory.dmp
memory/2912-50-0x00000000083F0000-0x000000000848C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA6C9.tmp
| MD5 | ccac0558796e7cc619135c4d788eef0a |
| SHA1 | 39fd56ee823903ad8a675865519e04e6e5e340df |
| SHA256 | 564389cf7ff966e9e16dfdaf2a1531b57180396478470adc84cdb42bce13696f |
| SHA512 | 3eec7800e259ac20f33dcf9580b931941cde1698145da1c7d4aa714ac73c9130ca9d27dd07fd99354f2198f8306f3c452e2fb8434e029cf94be7d37ee69bad92 |
C:\Users\Admin\AppData\Local\Temp\tmpA6DA.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpA72E.tmp
| MD5 | 4c2e2189b87f507edc2e72d7d55583a0 |
| SHA1 | 1f06e340f76d41ea0d1e8560acd380a901b2a5bd |
| SHA256 | 99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca |
| SHA512 | 8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600 |
C:\Users\Admin\AppData\Local\Temp\tmpA7D9.tmp
| MD5 | d444c807029c83b8a892ac0c4971f955 |
| SHA1 | fa58ce7588513519dc8fed939b26b05dc25e53b5 |
| SHA256 | 8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259 |
| SHA512 | b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e |
C:\Users\Admin\AppData\Local\Temp\tmpA7D8.tmp
| MD5 | d20cfe4c597cd3a59ec8a9ca7c94e1f9 |
| SHA1 | 7618fb1594eeccd8deb1e9706cdfd1a561d426a3 |
| SHA256 | 27fcb665d702756494000c90bc0bbed9e676580d988e3a67f32b089ad6391f85 |
| SHA512 | a36524d8874999ca4d7285850de52f9f9247a3c4ea17809ebd2a46c63482037458dfcf042bde1e380054c0a9afeabb6e86aa7bb2ae0b41fc3a21a2164ba00728 |
C:\Users\Admin\AppData\Local\Temp\tmpA81D.tmp
| MD5 | 568f1b99bed86691e4117ef061008380 |
| SHA1 | 4ae332f6c14b0c6440e4a339eb2a4b6cea238554 |
| SHA256 | e3d4ae5acddea28f2d5f67ce7adbba95841b8c4096b586e6b14f860739fc46ca |
| SHA512 | a69bf696f713b5c35f047cfd5fbb6202950b24054d235756b8ea29eb646668a409b02d5014196ad7fb6dd4923ee4eaea02be1ba6d5832cc155be4c963336004f |