Description	Indicator	Process	Target
PID 2240 set thread context of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1884 set thread context of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2240 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2028 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2028 wrote to memory of 2264	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2264	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2264	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2264	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 1212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 1212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 1212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2264 wrote to memory of 1884	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 2264 wrote to memory of 1884	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 2264 wrote to memory of 1884	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 2264 wrote to memory of 1884	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 1884 wrote to memory of 2164	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'shost"' /tr "'C:\Users\Admin\AppData\Roaming\shost.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp13EE.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\shost.exe

"C:\Users\Admin\AppData\Roaming\shost.exe"

C:\Users\Admin\AppData\Roaming\shost.exe

"C:\Users\Admin\AppData\Roaming\shost.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	peacelist.ignorelist.com	udp

Files

memory/2240-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

memory/2240-1-0x0000000001340000-0x0000000001434000-memory.dmp

memory/2240-2-0x00000000001B0000-0x00000000001D4000-memory.dmp

memory/2240-3-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2240-4-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

memory/2240-5-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2028-6-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2028-7-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2028-8-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2028-9-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2028-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2028-12-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2028-14-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2028-17-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2028-18-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2240-19-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2028-20-0x0000000073F50000-0x000000007463E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp13EE.tmp.bat

MD5	acebd8c90a26d19d009e50c02fc9ecf7
SHA1	fd7bf8f73e24ff91ba5fe56e975cfc4afb7c9420
SHA256	3741d93740bfe659e911e0d1277ce2c68997ec27b76803c64e1a44935e154708
SHA512	366a473b02e0de83fbdf9c33ccc0ca4331af75239b886154bc5359b7cd420286e8cdbde8a064130307160bd459fcc6f16292fb998803d83bd8da058a51a6afe6

memory/2028-30-0x0000000073F50000-0x000000007463E000-memory.dmp

\Users\Admin\AppData\Roaming\shost.exe

MD5	3433e524da36f061b28a3ff1caeea34d
SHA1	32c642c7b47196af2120d0ef1d6a085a214ae5f1
SHA256	d452caf37a0e32dba6e86dd9bb11da55d17945b77eec4dc09d347d5a70d101dd
SHA512	8ab1ab4ec630c67550f85255d18cc1d2db0bf68a68d78d983ae2586de7d9042843f4a1d1bccf00717733595b1e27786d44ab26f0e30825eeae8e8db4637ac328

memory/1884-34-0x0000000000FC0000-0x00000000010B4000-memory.dmp

memory/2164-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2164-53-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/2164-50-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/2164-46-0x0000000000080000-0x00000000000D6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 11:46

Reported

2024-06-04 11:49

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe"

Signatures

AsyncRat

rat asyncrat

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 1776 set thread context of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 3644 set thread context of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 1776 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe
PID 2632 wrote to memory of 5000	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 5000	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 5000	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 3156 wrote to memory of 4732	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3156 wrote to memory of 4732	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3156 wrote to memory of 4732	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3156 wrote to memory of 3644	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3156 wrote to memory of 3644	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3156 wrote to memory of 3644	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe
PID 3644 wrote to memory of 612	N/A	C:\Users\Admin\AppData\Roaming\shost.exe	C:\Users\Admin\AppData\Roaming\shost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\94b87733c688eacc477a274c06047594_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'shost"' /tr "'C:\Users\Admin\AppData\Roaming\shost.exe"'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6339.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\shost.exe

"C:\Users\Admin\AppData\Roaming\shost.exe"

C:\Users\Admin\AppData\Roaming\shost.exe

"C:\Users\Admin\AppData\Roaming\shost.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	232.168.11.51.in-addr.arpa	udp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	17.53.126.40.in-addr.arpa	udp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	peacelist.ignorelist.com	udp
US	8.8.8.8:53	peacelist.ignorelist.com	udp
US	8.8.8.8:53	peacelist.ignorelist.com	udp

Files

memory/1776-0-0x000000007539E000-0x000000007539F000-memory.dmp

memory/1776-1-0x0000000000150000-0x0000000000244000-memory.dmp

memory/1776-2-0x0000000002550000-0x0000000002574000-memory.dmp

memory/1776-3-0x0000000004BE0000-0x0000000004C72000-memory.dmp

memory/1776-4-0x0000000004CD0000-0x0000000004D36000-memory.dmp

memory/1776-5-0x0000000004B70000-0x0000000004B92000-memory.dmp

memory/1776-6-0x0000000004F10000-0x00000000050D2000-memory.dmp

memory/1776-7-0x0000000004D40000-0x0000000004D64000-memory.dmp

memory/1776-8-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

memory/1776-9-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/1776-10-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/1776-11-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/1776-12-0x0000000005D40000-0x0000000005D84000-memory.dmp

memory/1776-13-0x000000007539E000-0x000000007539F000-memory.dmp

memory/1776-14-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/2632-15-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\94b87733c688eacc477a274c06047594_JaffaCakes118.exe.log

MD5	3ec9d3dd240b7a28cb873a02eeb38788
SHA1	c96f2b12927335af747597b4087f1c7964835ee2
SHA256	ed303f4f8c43e2d68bb7ba386e63b5a4376e96dd9d775eb9d47985e3233b90f2
SHA512	5402bc1ea626137976e67215a81d2e8277c031057b9f51c4b92e6f57bfbbafb2b271d63f5398c5bb280c79b8d52e0ec5404bd6c32e9f36c99aa3f49ba21ec494

memory/1776-18-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/2632-19-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/2632-20-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/2632-21-0x00000000051F0000-0x000000000528C000-memory.dmp

memory/2632-25-0x0000000075390000-0x0000000075B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6339.tmp.bat

MD5	10c9b57e76cb9f5729be8610602f2222
SHA1	8c7b0976ec40acf135df5995b320e15acd955484
SHA256	16e2daf98bbbd9efb6a1df3fb355efbcf21e00b2d30152a599e302a410a61721
SHA512	c9ad73c13ed8dab243fef3b638071fcf0739657f1ed11027fec87f1d722516e34bb9d4e10e89b7591bd94f3aa0ab6e6e752b608ffd14f7ef43f8872c780bcaba

C:\Users\Admin\AppData\Roaming\shost.exe

MD5	e01db2f7aa7ddc6a3b24cd8c5500394f
SHA1	b329fa5a534c0c3850b54bb7cf7d6674621bd6de
SHA256	dae309fa8988229e41c532bb68299b0438ffa704b1f0d6b921bc39e2145370c0
SHA512	4daee424e9e33804443f56337dd234134c2c8f8e50eaa879a576c6a6db26be2e3e4a09295a4b4cb68821ec69b863dd2565a42e095a0dc0972864123fef9d05ec

Sample ID	240604-nxs8kafa8w
Target	94b87733c688eacc477a274c06047594_JaffaCakes118
SHA256	28b714bdd63520294c6e4103bf377a89b2afadad3cdf4ef0c58ccb74b78d02c7
Tags	asyncrat rat

Malware Analysis Report

2024-08-06 12:59

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files