Analysis Overview
SHA256
58f516bca2180b9c4997a83fc135fb69acc4915f262633d4791bda7f601d351b
Threat Level: Likely malicious
The file 7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Reads user/profile data of web browsers
Deletes itself
Identifies Wine through registry keys
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 10:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 10:09
Reported
2024-05-26 10:12
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
131s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1632 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1632 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3636 wrote to memory of 4400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 3636 wrote to memory of 4400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 3636 wrote to memory of 4400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 138.124.183.68:88 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 52.48.204.56:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | whois.iana.org | udp |
| US | 192.0.32.59:43 | whois.iana.org | tcp |
| US | 8.8.8.8:53 | 56.204.48.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | WHOIS.LACNIC.NET | udp |
| BR | 200.3.14.149:43 | WHOIS.LACNIC.NET | tcp |
| US | 8.8.8.8:53 | 59.32.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.geoplugin.net | udp |
| NL | 178.237.33.50:80 | www.geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.14.3.200.in-addr.arpa | udp |
| US | 138.124.183.68:88 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
memory/1632-0-0x0000000000EB0000-0x00000000013F4000-memory.dmp
memory/1632-2-0x0000000000EB0000-0x00000000013F4000-memory.dmp
memory/1632-3-0x0000000000EB0000-0x00000000013F4000-memory.dmp
memory/1632-4-0x0000000005890000-0x0000000005EA8000-memory.dmp
memory/1632-5-0x0000000002FA0000-0x0000000002FB2000-memory.dmp
memory/1632-6-0x00000000051D0000-0x000000000520C000-memory.dmp
memory/1632-7-0x0000000005210000-0x000000000525C000-memory.dmp
memory/1632-8-0x0000000005450000-0x000000000555A000-memory.dmp
memory/1632-11-0x0000000006050000-0x00000000060E2000-memory.dmp
memory/1632-12-0x00000000066A0000-0x0000000006C44000-memory.dmp
memory/1632-13-0x0000000000EB0000-0x00000000013F4000-memory.dmp
memory/1632-14-0x0000000006E20000-0x0000000006FE2000-memory.dmp
memory/1632-15-0x0000000007520000-0x0000000007A4C000-memory.dmp
memory/1632-16-0x0000000006D80000-0x0000000006DE6000-memory.dmp
memory/1632-17-0x0000000008560000-0x00000000085B0000-memory.dmp
memory/1632-23-0x0000000008650000-0x00000000086EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5294.tmp
| MD5 | dc1ca475cc21e0e5df007b6d905d6af3 |
| SHA1 | a75843acac08b722db94b145b32872ba499229fc |
| SHA256 | a71fcca8bfe2a274b9607c18904a583a5d63233977dc74fc4eaafe91666417f2 |
| SHA512 | 73a4aab577c6f6e9b7e694c460d69f891ab27826f1bf14c6d433d0b2878e68cf5a87cd8330d657bb649af65a06c2cbb04d10ee791b7ebde22d68424cb3c82b2e |
C:\Users\Admin\AppData\Local\Temp\tmp5295.tmp
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\tmp52BA.tmp
| MD5 | baa675ce4124ca3fc5033e2a2c53dbd1 |
| SHA1 | 2dcc5513270c723fff6148dd2f8196081f83bb16 |
| SHA256 | 22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4 |
| SHA512 | 047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec |
C:\Users\Admin\AppData\Local\Temp\tmp5325.tmp
| MD5 | bb48f715ba51aae047150fed114e00a7 |
| SHA1 | de6377da50f795b3ea85584325a8703bc011ba25 |
| SHA256 | e59452d6d72da0fbc1f7ea6516bb273cba0d9a0da4795271660021d6419b9487 |
| SHA512 | 23493be3e403a4344769f32425665772e07632f73202ae503a4a17e152d4319b1196b317e1c664983b612e307811ecc9a3c112f456f0b5cb070441c24119e365 |
C:\Users\Admin\AppData\Local\Temp\tmp5326.tmp
| MD5 | 5be7f6f434724dfcc01e8b2b0e753bbe |
| SHA1 | ef1078290de6b5700ff6e804a79beba16c99ba3e |
| SHA256 | 4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196 |
| SHA512 | 3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2 |
C:\Users\Admin\AppData\Local\Temp\tmp533C.tmp
| MD5 | 13884ff020a99ee23a59f4f9f855f3e3 |
| SHA1 | d69d9c491ff8c42ed1bb05693edbfa6aa571cb7e |
| SHA256 | 3efa47d5a493132e6f00afef7ee29e583f10d1022f98b99d021498e968eb9d9c |
| SHA512 | 2ab0190602ed47c63c0208ef04ba83fec765e47db14f114af7b5a02fdcdaed6d0ee3f7291ea5102d4dd8ae5e859063fc3c9f52c94b6bf23735e0f780b8c001de |
memory/1632-245-0x0000000000EB0000-0x00000000013F4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 10:09
Reported
2024-05-26 10:11
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
Network
| Country | Destination | Domain | Proto |
| US | 138.124.183.68:88 | tcp | |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| BE | 23.14.90.91:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 52.48.204.56:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | whois.iana.org | udp |
| US | 192.0.47.59:43 | whois.iana.org | tcp |
| US | 8.8.8.8:53 | WHOIS.LACNIC.NET | udp |
| UY | 190.112.52.16:43 | WHOIS.LACNIC.NET | tcp |
| US | 8.8.8.8:53 | www.geoplugin.net | udp |
| NL | 178.237.33.50:80 | www.geoplugin.net | tcp |
| US | 192.0.47.59:43 | whois.iana.org | tcp |
| UY | 190.112.52.16:43 | WHOIS.LACNIC.NET | tcp |
| US | 138.124.183.68:88 | tcp |
Files
memory/2928-0-0x00000000010C0000-0x0000000001604000-memory.dmp
memory/2928-2-0x00000000010C0000-0x0000000001604000-memory.dmp
memory/2928-3-0x00000000010C0000-0x0000000001604000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8B03.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar9755.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\tmpA6E0.tmp
| MD5 | dfedb72694a88fbddf2c758fdb57d971 |
| SHA1 | 2487723361513e7883330c4f2bcaaf8b2bc13713 |
| SHA256 | 722c47194263b07adaec951eb4a0d82addb080d22831406d23ba12682cabccad |
| SHA512 | dbeca37b3e5017d81fd717fe76bb2a84d0d03d6544911bf30646b85b16a058ffd690fa866e169a9228b21fc0dcbe3f4419383cb7080279e3963133d17cd9f49e |
C:\Users\Admin\AppData\Local\Temp\tmpA6E1.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpA6F7.tmp
| MD5 | 5f914a013176785e26d70d07234c605c |
| SHA1 | 5336e9ed6aeb682b46a0472f4f80ec24c4504210 |
| SHA256 | 72b56bbce7e5e07702bf46a002c75cb3a8994fd390b190b989628d387d21975b |
| SHA512 | 103eff502bec0df1a36bd19a97ca1d10cc34da2183480fe146434ec916020011c8af003b66ab5f6f4886e95b21749be8d8c3c3ebf3ae1b2e5c6db216e8b4e1b2 |
memory/2928-205-0x00000000010C0000-0x0000000001604000-memory.dmp