Analysis Overview
SHA256
494a5d81ae8445b31b6500fa17f8b9720e8c9a85acf0540dfa21e683ee6bc278
Threat Level: Known bad
The file 03e920d3f81aae8019038e1a36d351a5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Executes dropped EXE
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 21:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 21:29
Reported
2024-06-22 21:31
Platform
win7-20240611-en
Max time kernel
146s
Max time network
127s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\twunk_32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfnon = "C:\\Windows\\ctfnon.exe" | C:\Windows\twunk_32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\twunk_32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfnon = "C:\\Windows\\ctfnon.exe" | C:\Windows\twunk_32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
| N/A | N/A | C:\Windows\ctfnon.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfnon = "C:\\Windows\\ctfnon.exe" | C:\Windows\twunk_32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2752 set thread context of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe | C:\Windows\twunk_32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ctfnon.exe | C:\Windows\twunk_32.exe | N/A |
| File opened for modification | C:\Windows\ctfnon.exe | C:\Windows\twunk_32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\twunk_32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\twunk_32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\twunk_32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe"
C:\Windows\twunk_32.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\twunk_32.exe
"C:\Windows\twunk_32.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
C:\Windows\ctfnon.exe
"C:\Windows\ctfnon.exe"
Network
Files
memory/2752-0-0x0000000074D21000-0x0000000074D22000-memory.dmp
memory/2752-1-0x0000000074D20000-0x00000000752CB000-memory.dmp
memory/2752-2-0x0000000074D20000-0x00000000752CB000-memory.dmp
memory/3016-3-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-13-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-27-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-28-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-26-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3016-20-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-17-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-9-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-7-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-5-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3016-29-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2752-30-0x0000000074D20000-0x00000000752CB000-memory.dmp
memory/1336-34-0x0000000001DB0000-0x0000000001DB1000-memory.dmp
memory/3016-33-0x0000000010410000-0x0000000010475000-memory.dmp
memory/3016-834-0x0000000000400000-0x000000000044F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 3a7b06aca75b78a6be393bf1307c047d |
| SHA1 | 3c81321ac8c7e9962f6359d8f0d1426822173069 |
| SHA256 | 039f785b94fc04e2d9aa90ff0810b897870683904a34e28aab05798273e234d9 |
| SHA512 | 3b74d30827379d5724c966967e9800bf3c5b9db82df84f6a6050b3e476cc8820fc842833ccfd1b14c004666cae193631066ad21d1fa6d7e9ca8563744b716b8e |
C:\Windows\ctfnon.exe
| MD5 | 0bd6e68f3ea0dd62cd86283d86895381 |
| SHA1 | e207de5c580279ad40c89bf6f2c2d47c77efd626 |
| SHA256 | a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b |
| SHA512 | 26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | c9451f1a985779871eac0e11265c9864 |
| SHA1 | 4fd3ec1451511c138c8c1a613a975985bda4c9aa |
| SHA256 | 2a85ff51baf829f5bd53f8c07eed2dacf346228c6a095bb46b0712ce7509c0bb |
| SHA512 | d871cef9215f90946d60dbde378dd917e2ac37a2a1824b700ef9b6e1a7db0da2bed8514239d643c47d1f69f2e641ef2469c8f177d980c5dc6b476596fe17c63a |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 9c82cd594d30455c114ed29d95cfd3c3 |
| SHA1 | 8b08b3e852ba90a4d4b6879e9b70bb62a69ac4b5 |
| SHA256 | 5e1a4aaf0b3b84a255018796679bd101589ef0b1c4cb4476762fb1cd85a506e1 |
| SHA512 | 77a9e5229f87f446735f6df7e27a842ef6120222d00a24ec63e12842f6747fcf182b7fdb59a652ba281a73d40c74eedcfd86815d6e3e14cf118f1421202d2132 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | c3210b5e7a546e37bb086707d1cb8fde |
| SHA1 | ad684a796a4e7e3972db6647b7b00986ff4733c2 |
| SHA256 | 84cc857706a65b374b713f5db348305e521c43e4a5d50904e241bdb939b6fcc4 |
| SHA512 | fcf92bb1a594c33562e004275220e445f4767f305046776582dea246407951c1fa8d1766646565f08c47e1bd1117a23570937b9eaaa99801d8d9eb31cd89d299 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 73a52c932f479edbdb92b9c165f5c368 |
| SHA1 | cecf3d9fc40391c3f82aa206c1c64b5f0155cf06 |
| SHA256 | 4fc6d0cbe20b27af6fa69b38701ae505b142be9411523bcae3e0c2aa35b3b132 |
| SHA512 | 30dcb59191da6b2934186275767dbf7ad7818c87194ebb7262dc3972a8c590c7efac2fdfc8147526537badf317a0d63a2f88816f38883063f533ca5a66de9cad |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | fe164e8c0f5d0f4252be5b25fcc6dc88 |
| SHA1 | fa160614f22d7bd84bfa7df938141b7659b74158 |
| SHA256 | 2c2e518de03fbaaa08323bf60880c4ae2d5417b42e856c96e79bcc7a4bf3c8f8 |
| SHA512 | 578288a54ba54ec5a1c65c68662f6363b8631603afcd1441070a8951824fe8a826479da57e4681b974adb820a42cbd4f6c78ea94f9e7b401c392b624528d84f5 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | c5e57b7ead21384ce422b673de1b2dc6 |
| SHA1 | 8f72186a92189c527f6bf124ab3c7fb390cd778f |
| SHA256 | 98b7cb28e6122a01848c281192d9c656715cf17b8225a56d4dcc697a643878ee |
| SHA512 | 15ea02612c66511faefd34b88fe568796ab3ceae234c55c1616e75bb621c7be6a43803370e5b2f85034b10aee26684a61bdae55e04a89dbac64cce49b983451d |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | fb2aee7310d9e207d09fde4f04033266 |
| SHA1 | a6a78bee400aa83b0b74953954ed9084f2b1f12b |
| SHA256 | 617f610fcef2963d54701709b423480ecd5f5e639815e22356b0f6a5a922bf9e |
| SHA512 | a596490338ce02fbe9044978ea47f8ac169d324419a2ca00e3f4c9d1df5a3d00d00d0a6b50bfb736f497488b61cfcf455d305f84d51534818285078d0ce37de0 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 86bfcd4eb1a135b68ae9e57a8641fb96 |
| SHA1 | f3bd3a3471cfcdaf9f6a1b8d47130680ad77fa41 |
| SHA256 | c9a892cf56a76e617e9c422a45a6f2f8c5e970094d6ed257cb5abefa1564022d |
| SHA512 | 020bbf773326751919aad33465bd57024014e81f2b899675ddd6f62c81679678c41520d8580e0f1a65fc055caf0834be615993078f604ff362fd8316b95a59ea |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 5159f6471ada101363e8c27cd34fb3c7 |
| SHA1 | 5de7f5c12912ce40c93a8ac3ac0932029b74de6e |
| SHA256 | 1c0be058a28e0cc66e0e2f77961a0adee50b2d1228e64970bb4260161139c106 |
| SHA512 | fd21f49d9ff4a2dea820d9525f7d0e1774f3ac23f9b855d5b269accbfbb4fe9d02075992d011bba8ad247dd47928417a202ba767f2c7aa2098bcc3eb5bd4d214 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 2420885780cf623f904a120585ba39fe |
| SHA1 | 64b5ba82bba7c8c7984966949d8d9292a43a3019 |
| SHA256 | 8b94ab781d5da4053697536ab7579395bc9e5e5d23d9e54c685a51f8f1c16e09 |
| SHA512 | 31115db6754428939f4fb608d6e86d0bd24eabb2eff60fcefc36def57ba694ab0c9507bc9ec7715dc1a5857c4f405f57071444c27e2804a7376fd2a64d8cc4e5 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 89e81697185fb7468962c2da3a54fd48 |
| SHA1 | 024f51206c7eb7d80dd6784de12acb60011ec8f2 |
| SHA256 | aad76303b1bfb1ebc3e37d31f2b3f725da7f0b2a5bab7c764de62a7d44d2d15b |
| SHA512 | 763c9be6d94a8cd3914821e9c7a6510e5a2d10084bad4be36791463ce2255d403a8253464195d6d4ec0cc62d69e4d061db027d71214afb7e7b630d965aa2ca40 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | ee57819178472be044026c5dbd2b9a48 |
| SHA1 | 9b9cfd30239f3d04924b30dbb4a665638392a7bf |
| SHA256 | cb5d134f9801086616fa93dad2d63006f7f42737a1209e875631e5d32deed964 |
| SHA512 | 31c8d7a3b5ed7ea2875a0b3e850a10e24321c6aeb573579a8cb3ace185110926f6373903eac588a9231318b9f74abeed9919d2952e0ec0b723268e9480fc0ca0 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | fa15e89f5c87a10cdaea30d48b5a0e60 |
| SHA1 | 7183723158d193d560f104d0d3df66476f3683da |
| SHA256 | b577de42d9e155860b01cfeea174ef623ae70138e1959cbda91d58d4f9634fa5 |
| SHA512 | e03349a65bf6c020baa2895b51cffffbcf3c1f911ffb4e376d1a916ae599e88b22db2ab5152e3331b14ed7f3cf908ea5c9d7e301ec4ff356da9a69189f109b3c |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 8b2805579759dac8d17182d8756531bf |
| SHA1 | 7932467fde0ff6db3d63041576c0ecfe0f0e8288 |
| SHA256 | 80866f8d3c167886d0b6eee2643bb8ef2e5d0611f3433b563a40d8d3988ad4e2 |
| SHA512 | a99dd4618f39a2db774e7c5b7bed681e4e4e5dc2b42d8f95bbc93949fe05bbcd4c6f7a13fa3d4389dd3d776b6884da0f19799ebf62a788bb3074fb1e99cc0f6f |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 7e1bfd5380867a01eeb4db171f951408 |
| SHA1 | 1b495acfb4e2444f01b9350fd4d61d5ec7b0b522 |
| SHA256 | 92a0d0f7f79d62d7e08edaf2a481ca39b91337ee563d18af819f367edbbe719c |
| SHA512 | e0a2aadba2892d5f9fff064164193fa742f8a645f61088579ef95036e8fb60d3d3c9fe9edbee24c20d3386672bb6d3e9c4f095c826fd6bbf7bc3a8bade9bd88e |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 2021477389a8427c4ba69a9b2e22b51b |
| SHA1 | 3bc7b494051c143f0de871c267b5de1fa689e9cf |
| SHA256 | c6e615036cfbad6512747d3c3614da1f7e8cea944c0d09317528ffa0f51c17ec |
| SHA512 | 020f91fdc11ecc5e4ffbbd0a134dd1f48ed6fa33c2d239d9cfea85128162f8c990a06d55cdb44346685f6d0769884bbe0d617a45fb456105c6e7700f304e9517 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 57c856b8128555f85e6341f430edf065 |
| SHA1 | e86d2e11c5dc7653f996865631de0f903a897613 |
| SHA256 | cf78b4923a12e6c56e394a63afe5b49529210d819a30ff43caee0662a83a63ab |
| SHA512 | 0ee8e2ffb975c893df610885dff703ebb253b29e341a002c684d3478e0a6c4163a5b74c075d0df96b4fb81e8f871b416351facc5a5a9e118f367a8ac405e1761 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 6def9d28ea5162b739e5520161def5d9 |
| SHA1 | 72ea67ae1c562a2d1dd751dd20057f5dfc548c94 |
| SHA256 | 23d79fe6377c8cf8d83b946e358011284655ea51be83bb6a5f58bed9a63f53ac |
| SHA512 | 38212221a41412d4b5dd5f914990fdb0303679aba9fef4dad6062f0af1dc756824dcc1638d28d8b0ea6e55cc0e3021aa5c608c611086d93666b8a33b6ad05766 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | ba80a732718eb3235abb29a52c1d88c6 |
| SHA1 | 1a2a3d36a110b4c352135d64430beaceecf0ae1d |
| SHA256 | 3847bfb7c5740a94ab3a41c374cd6c458dd8cb7175e8137e321e1aa44f66bc18 |
| SHA512 | 3ddc008dd317f91954a3b757341a48f0d9664584b5cac0067a2b39594911526eed0aa61663b75c3217cf29540f68cb9b9c6651bff985fb56b25cdfb39b02af65 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | e6561bdf27dd06902d1672f7df718598 |
| SHA1 | e84433faa740f83fe55b55a0e0cd60ff660bfb39 |
| SHA256 | 111df1cf2a837664f251fb7a687320a8337b6cd5770e543bc351bbdc957b779a |
| SHA512 | bd8c1c172975fade73e4a518dfcad784b4c4d0a5f324abc436a4f6b9cebd346c1909ff973f3f2ccc6c204c1de5a3300173bc775e8e0498dc2f417fd32fa6cc6d |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | a17094d29db551c6a669bc5d53ea07ed |
| SHA1 | 86db8335476cff745c1522385a41ebbaef6dcbcf |
| SHA256 | b1945c7c41b5822430b2984a56226299b7947b07784df4bba666de6b8ffbb283 |
| SHA512 | cef8d68bd989295577a1665edee672d7eef552fa6a6759b4ea8216b9d58dede671004c1789baff5800fde45fb378d8f6864de2a4737537a9e2ad0a1cf3d73940 |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | fe3473979a000beb8840c9080f656b4c |
| SHA1 | f002663374043421f9b66018de7e456b74d54654 |
| SHA256 | ede3e9757cf121818eb42903d21e229b0ec570dbf9fb996c5dd8da29297d622b |
| SHA512 | a61fbede0dc7f66ce4a0e2ee5f7ca1914487f95de519606b1123b536ccdd63185f2e249b94dbb9d3a63fa21001cf2028a30fcf6682113f94ca2a3a8f71adfedb |
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
| MD5 | 3ee96d6c74a267a7f07a6561498a4e9e |
| SHA1 | 3c7a7d394d0fe0b8d5e0c04120750becddef2faa |
| SHA256 | d9b0e9b27442422b6ada02cb148fa81a2dde2200f3f07ec9da6ecdbe603c31a5 |
| SHA512 | 91dc4d70366a1e135861b7e564aa34de781c15afdf97298a65caacc783017b236b2b08a7c9215dade014a5555c51d167366ef5bfd70cdc4bcdd142e82b1bcabc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 21:29
Reported
2024-06-22 21:31
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3220 set thread context of 3904 | N/A | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3220 wrote to memory of 3904 | N/A | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe |
| PID 3220 wrote to memory of 3904 | N/A | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe |
| PID 3220 wrote to memory of 3904 | N/A | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe |
| PID 3220 wrote to memory of 3904 | N/A | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3904 -ip 3904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 80
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/3220-0-0x0000000074682000-0x0000000074683000-memory.dmp
memory/3220-1-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/3220-2-0x0000000074680000-0x0000000074C31000-memory.dmp
memory/3220-5-0x0000000074680000-0x0000000074C31000-memory.dmp