Malware Analysis Report

2024-09-22 10:54

Sample ID 240622-1bvwgsyflq
Target 03e920d3f81aae8019038e1a36d351a5_JaffaCakes118
SHA256 494a5d81ae8445b31b6500fa17f8b9720e8c9a85acf0540dfa21e683ee6bc278
Tags
cybergate remote persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

494a5d81ae8445b31b6500fa17f8b9720e8c9a85acf0540dfa21e683ee6bc278

Threat Level: Known bad

The file 03e920d3f81aae8019038e1a36d351a5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-22 21:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 21:29

Reported

2024-06-22 21:31

Platform

win7-20240611-en

Max time kernel

146s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\twunk_32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfnon = "C:\\Windows\\ctfnon.exe" C:\Windows\twunk_32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\twunk_32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfnon = "C:\\Windows\\ctfnon.exe" C:\Windows\twunk_32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfnon = "C:\\Windows\\ctfnon.exe" C:\Windows\twunk_32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2752 set thread context of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ctfnon.exe C:\Windows\twunk_32.exe N/A
File opened for modification C:\Windows\ctfnon.exe C:\Windows\twunk_32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\twunk_32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\twunk_32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\twunk_32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe C:\Windows\twunk_32.exe
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE
PID 3016 wrote to memory of 1336 N/A C:\Windows\twunk_32.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe"

C:\Windows\twunk_32.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\twunk_32.exe

"C:\Windows\twunk_32.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

C:\Windows\ctfnon.exe

"C:\Windows\ctfnon.exe"

Network

N/A

Files

memory/2752-0-0x0000000074D21000-0x0000000074D22000-memory.dmp

memory/2752-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/2752-2-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/3016-3-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-13-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-27-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-28-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-26-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3016-20-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-17-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-9-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-7-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-5-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-29-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2752-30-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/1336-34-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/3016-33-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3016-834-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 3a7b06aca75b78a6be393bf1307c047d
SHA1 3c81321ac8c7e9962f6359d8f0d1426822173069
SHA256 039f785b94fc04e2d9aa90ff0810b897870683904a34e28aab05798273e234d9
SHA512 3b74d30827379d5724c966967e9800bf3c5b9db82df84f6a6050b3e476cc8820fc842833ccfd1b14c004666cae193631066ad21d1fa6d7e9ca8563744b716b8e

C:\Windows\ctfnon.exe

MD5 0bd6e68f3ea0dd62cd86283d86895381
SHA1 e207de5c580279ad40c89bf6f2c2d47c77efd626
SHA256 a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b
SHA512 26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 c9451f1a985779871eac0e11265c9864
SHA1 4fd3ec1451511c138c8c1a613a975985bda4c9aa
SHA256 2a85ff51baf829f5bd53f8c07eed2dacf346228c6a095bb46b0712ce7509c0bb
SHA512 d871cef9215f90946d60dbde378dd917e2ac37a2a1824b700ef9b6e1a7db0da2bed8514239d643c47d1f69f2e641ef2469c8f177d980c5dc6b476596fe17c63a

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 9c82cd594d30455c114ed29d95cfd3c3
SHA1 8b08b3e852ba90a4d4b6879e9b70bb62a69ac4b5
SHA256 5e1a4aaf0b3b84a255018796679bd101589ef0b1c4cb4476762fb1cd85a506e1
SHA512 77a9e5229f87f446735f6df7e27a842ef6120222d00a24ec63e12842f6747fcf182b7fdb59a652ba281a73d40c74eedcfd86815d6e3e14cf118f1421202d2132

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 c3210b5e7a546e37bb086707d1cb8fde
SHA1 ad684a796a4e7e3972db6647b7b00986ff4733c2
SHA256 84cc857706a65b374b713f5db348305e521c43e4a5d50904e241bdb939b6fcc4
SHA512 fcf92bb1a594c33562e004275220e445f4767f305046776582dea246407951c1fa8d1766646565f08c47e1bd1117a23570937b9eaaa99801d8d9eb31cd89d299

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 73a52c932f479edbdb92b9c165f5c368
SHA1 cecf3d9fc40391c3f82aa206c1c64b5f0155cf06
SHA256 4fc6d0cbe20b27af6fa69b38701ae505b142be9411523bcae3e0c2aa35b3b132
SHA512 30dcb59191da6b2934186275767dbf7ad7818c87194ebb7262dc3972a8c590c7efac2fdfc8147526537badf317a0d63a2f88816f38883063f533ca5a66de9cad

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 fe164e8c0f5d0f4252be5b25fcc6dc88
SHA1 fa160614f22d7bd84bfa7df938141b7659b74158
SHA256 2c2e518de03fbaaa08323bf60880c4ae2d5417b42e856c96e79bcc7a4bf3c8f8
SHA512 578288a54ba54ec5a1c65c68662f6363b8631603afcd1441070a8951824fe8a826479da57e4681b974adb820a42cbd4f6c78ea94f9e7b401c392b624528d84f5

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 c5e57b7ead21384ce422b673de1b2dc6
SHA1 8f72186a92189c527f6bf124ab3c7fb390cd778f
SHA256 98b7cb28e6122a01848c281192d9c656715cf17b8225a56d4dcc697a643878ee
SHA512 15ea02612c66511faefd34b88fe568796ab3ceae234c55c1616e75bb621c7be6a43803370e5b2f85034b10aee26684a61bdae55e04a89dbac64cce49b983451d

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 fb2aee7310d9e207d09fde4f04033266
SHA1 a6a78bee400aa83b0b74953954ed9084f2b1f12b
SHA256 617f610fcef2963d54701709b423480ecd5f5e639815e22356b0f6a5a922bf9e
SHA512 a596490338ce02fbe9044978ea47f8ac169d324419a2ca00e3f4c9d1df5a3d00d00d0a6b50bfb736f497488b61cfcf455d305f84d51534818285078d0ce37de0

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 86bfcd4eb1a135b68ae9e57a8641fb96
SHA1 f3bd3a3471cfcdaf9f6a1b8d47130680ad77fa41
SHA256 c9a892cf56a76e617e9c422a45a6f2f8c5e970094d6ed257cb5abefa1564022d
SHA512 020bbf773326751919aad33465bd57024014e81f2b899675ddd6f62c81679678c41520d8580e0f1a65fc055caf0834be615993078f604ff362fd8316b95a59ea

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 5159f6471ada101363e8c27cd34fb3c7
SHA1 5de7f5c12912ce40c93a8ac3ac0932029b74de6e
SHA256 1c0be058a28e0cc66e0e2f77961a0adee50b2d1228e64970bb4260161139c106
SHA512 fd21f49d9ff4a2dea820d9525f7d0e1774f3ac23f9b855d5b269accbfbb4fe9d02075992d011bba8ad247dd47928417a202ba767f2c7aa2098bcc3eb5bd4d214

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 2420885780cf623f904a120585ba39fe
SHA1 64b5ba82bba7c8c7984966949d8d9292a43a3019
SHA256 8b94ab781d5da4053697536ab7579395bc9e5e5d23d9e54c685a51f8f1c16e09
SHA512 31115db6754428939f4fb608d6e86d0bd24eabb2eff60fcefc36def57ba694ab0c9507bc9ec7715dc1a5857c4f405f57071444c27e2804a7376fd2a64d8cc4e5

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 89e81697185fb7468962c2da3a54fd48
SHA1 024f51206c7eb7d80dd6784de12acb60011ec8f2
SHA256 aad76303b1bfb1ebc3e37d31f2b3f725da7f0b2a5bab7c764de62a7d44d2d15b
SHA512 763c9be6d94a8cd3914821e9c7a6510e5a2d10084bad4be36791463ce2255d403a8253464195d6d4ec0cc62d69e4d061db027d71214afb7e7b630d965aa2ca40

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 ee57819178472be044026c5dbd2b9a48
SHA1 9b9cfd30239f3d04924b30dbb4a665638392a7bf
SHA256 cb5d134f9801086616fa93dad2d63006f7f42737a1209e875631e5d32deed964
SHA512 31c8d7a3b5ed7ea2875a0b3e850a10e24321c6aeb573579a8cb3ace185110926f6373903eac588a9231318b9f74abeed9919d2952e0ec0b723268e9480fc0ca0

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 fa15e89f5c87a10cdaea30d48b5a0e60
SHA1 7183723158d193d560f104d0d3df66476f3683da
SHA256 b577de42d9e155860b01cfeea174ef623ae70138e1959cbda91d58d4f9634fa5
SHA512 e03349a65bf6c020baa2895b51cffffbcf3c1f911ffb4e376d1a916ae599e88b22db2ab5152e3331b14ed7f3cf908ea5c9d7e301ec4ff356da9a69189f109b3c

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 8b2805579759dac8d17182d8756531bf
SHA1 7932467fde0ff6db3d63041576c0ecfe0f0e8288
SHA256 80866f8d3c167886d0b6eee2643bb8ef2e5d0611f3433b563a40d8d3988ad4e2
SHA512 a99dd4618f39a2db774e7c5b7bed681e4e4e5dc2b42d8f95bbc93949fe05bbcd4c6f7a13fa3d4389dd3d776b6884da0f19799ebf62a788bb3074fb1e99cc0f6f

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 7e1bfd5380867a01eeb4db171f951408
SHA1 1b495acfb4e2444f01b9350fd4d61d5ec7b0b522
SHA256 92a0d0f7f79d62d7e08edaf2a481ca39b91337ee563d18af819f367edbbe719c
SHA512 e0a2aadba2892d5f9fff064164193fa742f8a645f61088579ef95036e8fb60d3d3c9fe9edbee24c20d3386672bb6d3e9c4f095c826fd6bbf7bc3a8bade9bd88e

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 2021477389a8427c4ba69a9b2e22b51b
SHA1 3bc7b494051c143f0de871c267b5de1fa689e9cf
SHA256 c6e615036cfbad6512747d3c3614da1f7e8cea944c0d09317528ffa0f51c17ec
SHA512 020f91fdc11ecc5e4ffbbd0a134dd1f48ed6fa33c2d239d9cfea85128162f8c990a06d55cdb44346685f6d0769884bbe0d617a45fb456105c6e7700f304e9517

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 57c856b8128555f85e6341f430edf065
SHA1 e86d2e11c5dc7653f996865631de0f903a897613
SHA256 cf78b4923a12e6c56e394a63afe5b49529210d819a30ff43caee0662a83a63ab
SHA512 0ee8e2ffb975c893df610885dff703ebb253b29e341a002c684d3478e0a6c4163a5b74c075d0df96b4fb81e8f871b416351facc5a5a9e118f367a8ac405e1761

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 6def9d28ea5162b739e5520161def5d9
SHA1 72ea67ae1c562a2d1dd751dd20057f5dfc548c94
SHA256 23d79fe6377c8cf8d83b946e358011284655ea51be83bb6a5f58bed9a63f53ac
SHA512 38212221a41412d4b5dd5f914990fdb0303679aba9fef4dad6062f0af1dc756824dcc1638d28d8b0ea6e55cc0e3021aa5c608c611086d93666b8a33b6ad05766

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 ba80a732718eb3235abb29a52c1d88c6
SHA1 1a2a3d36a110b4c352135d64430beaceecf0ae1d
SHA256 3847bfb7c5740a94ab3a41c374cd6c458dd8cb7175e8137e321e1aa44f66bc18
SHA512 3ddc008dd317f91954a3b757341a48f0d9664584b5cac0067a2b39594911526eed0aa61663b75c3217cf29540f68cb9b9c6651bff985fb56b25cdfb39b02af65

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 e6561bdf27dd06902d1672f7df718598
SHA1 e84433faa740f83fe55b55a0e0cd60ff660bfb39
SHA256 111df1cf2a837664f251fb7a687320a8337b6cd5770e543bc351bbdc957b779a
SHA512 bd8c1c172975fade73e4a518dfcad784b4c4d0a5f324abc436a4f6b9cebd346c1909ff973f3f2ccc6c204c1de5a3300173bc775e8e0498dc2f417fd32fa6cc6d

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 a17094d29db551c6a669bc5d53ea07ed
SHA1 86db8335476cff745c1522385a41ebbaef6dcbcf
SHA256 b1945c7c41b5822430b2984a56226299b7947b07784df4bba666de6b8ffbb283
SHA512 cef8d68bd989295577a1665edee672d7eef552fa6a6759b4ea8216b9d58dede671004c1789baff5800fde45fb378d8f6864de2a4737537a9e2ad0a1cf3d73940

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 fe3473979a000beb8840c9080f656b4c
SHA1 f002663374043421f9b66018de7e456b74d54654
SHA256 ede3e9757cf121818eb42903d21e229b0ec570dbf9fb996c5dd8da29297d622b
SHA512 a61fbede0dc7f66ce4a0e2ee5f7ca1914487f95de519606b1123b536ccdd63185f2e249b94dbb9d3a63fa21001cf2028a30fcf6682113f94ca2a3a8f71adfedb

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

MD5 3ee96d6c74a267a7f07a6561498a4e9e
SHA1 3c7a7d394d0fe0b8d5e0c04120750becddef2faa
SHA256 d9b0e9b27442422b6ada02cb148fa81a2dde2200f3f07ec9da6ecdbe603c31a5
SHA512 91dc4d70366a1e135861b7e564aa34de781c15afdf97298a65caacc783017b236b2b08a7c9215dade014a5555c51d167366ef5bfd70cdc4bcdd142e82b1bcabc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 21:29

Reported

2024-06-22 21:31

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\03e920d3f81aae8019038e1a36d351a5_JaffaCakes118.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 80

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/3220-0-0x0000000074682000-0x0000000074683000-memory.dmp

memory/3220-1-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/3220-2-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/3220-5-0x0000000074680000-0x0000000074C31000-memory.dmp