Analysis Overview
SHA256
ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283
Threat Level: Known bad
The file 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Diamondfox family
UAC bypass
DiamondFox
DiamondFox stealer
Drops file in Drivers directory
Executes dropped EXE
Windows security modification
Drops startup file
Loads dropped DLL
Deletes itself
Checks whether UAC is enabled
Enumerates physical storage devices
Unsigned PE
System policy modification
Script User-Agent
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-02 17:26
Signatures
DiamondFox stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Diamondfox family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 17:26
Reported
2024-06-02 17:29
Platform
win7-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DiamondFox
DiamondFox stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Melt.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f0228275.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| US | 8.8.8.8:53 | f0228275.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| US | 8.8.8.8:53 | f0228275.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
Files
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 8eda529979d30636fb0fbb45c2da7977 |
| SHA1 | c8894ae2dc2d6f0225c72a2b19fb283a57f077fe |
| SHA256 | ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283 |
| SHA512 | 537a16d8dc253800d5225ee1f41135fe619df6c26491fe203632d385751f57a2aa8da5cd9bd4c6582b2f579751ce245aeea367fe106a90058a332d768982d44c |
C:\Users\Admin\AppData\Local\Temp\Melt.bat
| MD5 | 2b4ac925d0131af926415461d760ac8e |
| SHA1 | edd325b6ac9903f1195b19f1b028a5067193e1cc |
| SHA256 | 6ae190034e591dae070cf5550514fae731b01ec06d7c379827f9633f85320732 |
| SHA512 | f669447506687bd5a0a76fbb76f6124f358b1866085c5ac16cfba95199a3c8becbc268a6360af0a04a3fdde0e09ac204d2b7b6a1e1034070360076617aab574d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 17:26
Reported
2024-06-02 17:29
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
DiamondFox
DiamondFox stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 1680 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 1680 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 1680 wrote to memory of 3328 | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1680 wrote to memory of 3328 | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1680 wrote to memory of 3328 | N/A | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Melt.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f0228275.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| US | 8.8.8.8:53 | f0228275.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
| RU | 141.8.197.42:80 | f0228275.xsph.ru | tcp |
Files
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 8eda529979d30636fb0fbb45c2da7977 |
| SHA1 | c8894ae2dc2d6f0225c72a2b19fb283a57f077fe |
| SHA256 | ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283 |
| SHA512 | 537a16d8dc253800d5225ee1f41135fe619df6c26491fe203632d385751f57a2aa8da5cd9bd4c6582b2f579751ce245aeea367fe106a90058a332d768982d44c |
C:\Users\Admin\AppData\Local\Temp\Melt.bat
| MD5 | 2b4ac925d0131af926415461d760ac8e |
| SHA1 | edd325b6ac9903f1195b19f1b028a5067193e1cc |
| SHA256 | 6ae190034e591dae070cf5550514fae731b01ec06d7c379827f9633f85320732 |
| SHA512 | f669447506687bd5a0a76fbb76f6124f358b1866085c5ac16cfba95199a3c8becbc268a6360af0a04a3fdde0e09ac204d2b7b6a1e1034070360076617aab574d |