Analysis Overview
SHA256
80ed75a5132447c1be1c6f4c30ebc8e069294d7f6e62e3fcaf8802b8bbe23907
Threat Level: Known bad
The file a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:27
Reported
2024-06-13 02:29
Platform
win7-20231129-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e5ee4e71 = "w:\rcmÓÒg£Úí\x10Þiw0#¹I\x03Z»Ö™ºj†Õ0sÐOhñežîUx\rð—\x04„nhО,x·]‘n\x19ø" | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e5ee4e71 = "w:\rcmÓÒg£Úí\x10Þiw0#¹I\x03Z»Ö™ºj†Õ0sÐOhñežîUx\rð—\x04„nhО,x·]‘n\x19ø" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Windows\apppatch\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1972 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1972 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 1972 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.97:80 | www.bing.com | tcp |
| NL | 23.62.61.194:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| HK | 154.23.19.56:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 34.193.97.35:80 | vojyqem.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| DE | 3.64.163.50:80 | puzylyp.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| NL | 95.211.117.215:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| HK | 154.23.19.56:80 | gadyniw.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 54.157.24.8:80 | vojyqem.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 54.157.24.8:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.55.97.181:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| DE | 3.64.163.50:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | e50a34fd92e3580b0a5ad56dfda3e94e |
| SHA1 | 5ec869b1749df4923c390ceecc20960505222ea4 |
| SHA256 | 4e3d937d00ac6e304fb1957fad41632aba71f2f445d4fe805efdb56bb6a199a9 |
| SHA512 | 559322b28f6613fc382ab413327775ff8d0ec94c0b2d3a4c801da734e414275d6ea84c1410a66a3df9399399ca462bff1fea678c2e819343e35afff2807d686b |
memory/1972-12-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2348-14-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2348-20-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2348-24-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2348-22-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2348-18-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2348-16-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2348-25-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-27-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-29-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-42-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-75-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-77-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-76-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-74-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-72-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-71-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-70-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-69-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-68-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-67-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-66-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-65-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-64-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-63-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-62-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-60-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-59-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-58-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-57-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-56-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-55-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-54-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-53-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-52-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-51-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-49-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-48-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-47-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-46-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-45-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-44-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-43-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-73-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-41-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-40-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-39-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-38-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-37-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-61-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-36-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-35-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-50-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-34-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-33-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-32-0x0000000002390000-0x0000000002446000-memory.dmp
memory/2348-31-0x0000000002390000-0x0000000002446000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8B2C.tmp
| MD5 | 6a6b1d832f40cd6cafe377e69619de79 |
| SHA1 | de4c9d0760f6e0ce15f54e86ec77d1e9d81b48ad |
| SHA256 | 1a1a8fbf5ceedc3211652fcd9227349beb9d8970c548e54f7b4c6075238da010 |
| SHA512 | 30d070f1ebe8529ba211910b92fe3b9584b2eee9617df07dd6f71012aa87a5b3212e2e95f3955653015720f4911dea6c0d2852e385a2a43f01eb7fe5d7f87277 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9A01.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:27
Reported
2024-06-13 02:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e1c121d6 = "÷oJÍ\\DÖÿÉQVd\\]\fkBÙ’Q‡Ôj¶\x7f±~ìD¥Yú¹lj²\n\x14¨M2\tz±j¦é@AššŠ‰Y¸|¢ÖÒ¹\x1až\x1aŒXÄùñ9&a!”ñMaêêº\x11Èâ\x11æÄ©¡º@¢9j\x1c$\u0081ùÐ\nª™Í!\x1e¢\x19ɲQD‚Tfð<âb±A\x1aí1QâqPñZ\x19êt\x14m°\x1díNzV2˜ q²à\x1aâ¸È0\"4™øÞ‚¹Jé@¼®=òbÜ<âÕõÂ\x12Zî\x11\u009d" | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e1c121d6 = "÷oJÍ\\DÖÿÉQVd\\]\fkBÙ’Q‡Ôj¶\x7f±~ìD¥Yú¹lj²\n\x14¨M2\tz±j¦é@AššŠ‰Y¸|¢ÖÒ¹\x1až\x1aŒXÄùñ9&a!”ñMaêêº\x11Èâ\x11æÄ©¡º@¢9j\x1c$\u0081ùÐ\nª™Í!\x1e¢\x19ɲQD‚Tfð<âb±A\x1aí1QâqPñZ\x19êt\x14m°\x1díNzV2˜ q²à\x1aâ¸È0\"4™øÞ‚¹Jé@¼®=òbÜ<âÕõÂ\x12Zî\x11\u009d" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3704 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 3704 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 3704 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3886dbfde20c880148a39e8ef2e8fd6_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 114035a8bc50067475d380b644cabd76 |
| SHA1 | 36ddd43d15f1f8318feede04e3abb6df0373b1f2 |
| SHA256 | 5d04edadd37576aa7893bdc0bc3afba07812e7f0e9cb048aec613d7758a3ebb3 |
| SHA512 | 3a96aca772f4e79ea4e227840fc1767027b0ebc580373d27c6e88e15084bb3b566f9df82e4b688d02d3640d5bd4bfcf7a3e8813a8e4d75f1f57c2f746e1126cc |
memory/3704-9-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1628-10-0x0000000002940000-0x00000000029E8000-memory.dmp
memory/1628-11-0x0000000002B30000-0x0000000002BE6000-memory.dmp
memory/1628-15-0x0000000002B30000-0x0000000002BE6000-memory.dmp
memory/1628-13-0x0000000002B30000-0x0000000002BE6000-memory.dmp