Analysis Overview
SHA256
83ae54f749dd59b440d2fc83c68f616d7467f27093dcd6199255733ace5cbf88
Threat Level: Known bad
The file 0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
UPX packed file
Loads dropped DLL
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 23:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 23:03
Reported
2024-06-25 23:05
Platform
win7-20240611-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\winlogon\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\winlogon\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8TB62WOB-C385-6H1D-QNUT-VT43SR521561} | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8TB62WOB-C385-6H1D-QNUT-VT43SR521561}\StubPath = "C:\\Windows\\winlogon\\winlogon.exe Restart" | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8TB62WOB-C385-6H1D-QNUT-VT43SR521561} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8TB62WOB-C385-6H1D-QNUT-VT43SR521561}\StubPath = "C:\\Windows\\winlogon\\winlogon.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\winlogon\winlogon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\winlogon\winlogon.exe | N/A |
| N/A | N/A | C:\Windows\winlogon\winlogon.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\silent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\silent\\silent.exe" | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\winlogon\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\winlogon\\winlogon.exe" | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2176 set thread context of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winlogon\winlogon.exe | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\winlogon\winlogon.exe | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\winlogon\winlogon.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\winlogon\ | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sav7xsnw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7521.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7520.tmp"
C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\winlogon\winlogon.exe
"C:\Windows\winlogon\winlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2176-0-0x00000000744B2000-0x00000000744B4000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\sav7xsnw.cmdline
| MD5 | 8764d1329081b58a61630e2f704e6cef |
| SHA1 | b1644e579c2aa1744a04da50b136e7bcbfe52625 |
| SHA256 | 399d6c25d3c7c2fcca6ea6eed21565dc789595a77d084e49155d91b1be7966b5 |
| SHA512 | db21929732dd0877d34bf82333dfef22cfcba2670af1291ca0312a27435aeea5f9bf61dfe0621db610558b764d8dd5937a448ef7f571e20c35a9648f82edf3bc |
\??\c:\Users\Admin\AppData\Local\Temp\sav7xsnw.0.cs
| MD5 | cb25540570735d26bf391e8b54579396 |
| SHA1 | 135651d49409214d21348bb879f7973384a7a8cb |
| SHA256 | 922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743 |
| SHA512 | 553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC7520.tmp
| MD5 | b93180bbafaa0a6ec11abfa909c1ddd5 |
| SHA1 | fd3b614be000cb1c6b0d211daf3c502973d1fde8 |
| SHA256 | 97c05c0660e3b3b557110d45a4860758b1b1457ea5cb541aacb53210cd0f8612 |
| SHA512 | 5090955c2bec8871e40e2128fa727c57e644bd45cd836c740652f2d87fbf8f754e487a0ef668085a948f8031e62491b272edc4ed8f186812a007ae46e9e0ffae |
C:\Users\Admin\AppData\Local\Temp\RES7521.tmp
| MD5 | 316a905430d061cf6e5ffbc1a219ce6b |
| SHA1 | bc9ce64cb1dfd370468ec20db6b1b74d25209e46 |
| SHA256 | bb6309139a9cdc0e1d43f1fdd695bb2ec3978d19ea00a4e162b43ac4378dabb0 |
| SHA512 | 8d3f0119e9f06ec0f2bb01d2c9dde0018653c9fad93a9490325b334945726ba2b49175a2eb53c869ea5a0580c935d0fa9df702dd1a17ae4b92a6f7887b7148b5 |
C:\Users\Admin\AppData\Local\Temp\sav7xsnw.dll
| MD5 | e6564b6b9dc0da355d564690a2f1233f |
| SHA1 | 5f620155e7735f89c12ecb3d0e05a477436f4462 |
| SHA256 | 7d34f51dbc14b8ae6d560751f0a4e963b19f7330321575c060e2047761b621d6 |
| SHA512 | 2fa8ac286648721ec0d9356e229e152233aa9493e1a44227e3f6ca1e02c78ea1c8cb659de726fed5f3beb3712fba7964817bab34efc27fe4d0906b1e81236162 |
\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
| MD5 | d89fdbb4172cee2b2f41033e62c677d6 |
| SHA1 | c1917b579551f0915f1a0a8e8e3c7a6809284e6b |
| SHA256 | 2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383 |
| SHA512 | 48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed |
memory/2580-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2580-23-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2580-28-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2580-31-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2580-25-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2580-21-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2580-32-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2580-37-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2580-38-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1344-42-0x0000000002660000-0x0000000002661000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 9c954f1c137a9adea968cab358a97f90 |
| SHA1 | 1204dca621ddcb5c3ca579a89ec46725973c158b |
| SHA256 | c457b9e531ced1cdc633ccc4a2123b33d2ce09bd41763a465159dc0ededafad3 |
| SHA512 | 74736f17fbac6657df17954539c52af167efb141779b3922d604715a6d059f4de2abc3deaa8128d564687bd3cdecc32742c910472dbd1c70c011e2193e094b81 |
memory/2580-959-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 66428743305ae41ea07b6ad25bee3e60 |
| SHA1 | 934eafdb0b2d0b66c9d3f92ec85f0204227b6630 |
| SHA256 | f7402bf8f9fc3d3d3f0234c21a510854f2d0d4a509df68e8c0eadecbf70b5589 |
| SHA512 | 9b471ae5cc37419ed0696fffc57ded0fdec97854b515ecac0a4b5b27177789e5bc7dfacec856d5084e9e8c49b249dce5d5fb7b55b82e2c5cbc22084adb3a2fd6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 11326f03bb8c3a11c7eaab69d8f382cb |
| SHA1 | e33b7e4cb10b1e6b0fec9f8882375f0af257f835 |
| SHA256 | 469682c7127f3c7c060f34f75a804da50e59dc6b9a90e7e8a7959475df2d7a30 |
| SHA512 | 67eaa97e47fd87df37c207aff5a87fbdcb9e1ef1296f5ac6d58ff4c2a168d8b586337d71575b4150c4f5cf1932e58d9d79a3323a8f0dbeb73dbd6d79dff2a1dd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6d4ec40637ed27ce5ef36e2cfca9307c |
| SHA1 | abf7b06decf89b71d75139d0399d2e013dbcae71 |
| SHA256 | 2b74efda951b4abbcdbe5e714367f1c207eaeedb7ccf45e56be5661ea947f662 |
| SHA512 | 93f346088226a65685ed45e68b4756825291f5086ffa556f1db995ebdc2f2dfd50bf94caaf33e54b6d2c69e70bda0786510202fc44314d43cadda6d3ca950173 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 292ed9071d16f48edf42b1d21aa698fb |
| SHA1 | f54ed7acbf817de4d17b6c61d549d726f2f860fd |
| SHA256 | ab2ec5507665342cdfa4d220627f7b6399d6d8be46bd2c8dff900810439b4e2b |
| SHA512 | 8a70b01eff934ad5398f9231aeab1d6fd097e83480932f07fd31cbc62386bc8b31b1af97c3b07c4788adef8e8f27c6f59d355b0c58de0185eb889a05f19ca104 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c987ef2ef250138038c44f955e293b29 |
| SHA1 | ee9f77309681d5406a6df6aa1e14990fe5609576 |
| SHA256 | a1a18840306c2b36791c1b1f821c0c30ecc2ce828abffb3054fea2db728ab26f |
| SHA512 | c3b9b4e3cd1f3d976f2bc6b3ebe6832562569dc1fc8c1c1c777e5f3d388b1835f3838d4892391336f181e53fed6979d75e7c9919a060d102c8479ea21d1874b0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 79f89d9928ff55c1fdad006bd25e41ef |
| SHA1 | 40d26856f6a204ed2d733b896e0344f8a5ef140d |
| SHA256 | 87f23f84dc5ebdd0c5212c47b11ca8e8816c12fdcdfa98010077884dc1536f43 |
| SHA512 | 70b8062fceebc35efd95f74358a4fc4c83bb0679577378e97911ef57fa1c52c1224b798c50ce93b935f8e640bb2f1fbfd18358a34b5347d175c876e93ea4a7f3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 63920a74ab266534fd1f2370af44b4ce |
| SHA1 | 7d06495824941c0385f4995f42aaa38a1740b027 |
| SHA256 | 46bd160b8fa9e0f1ee83f7c522ca557ae6b246aafa43e19a601ca104b69cb5ee |
| SHA512 | 8d7d273ce0e1bdc49b44e4e3666c5ff5da1c47e323aa49eeae5cc258aea90af62a6bb28bb50a97b1b85cfe274404a07bb09ccf840c5d7ae55402e4deec7dd55d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1a0342c338db2b8c90a2a4557368421c |
| SHA1 | 524777b5c09a22f77a63417a5302ef8297c19dc9 |
| SHA256 | 5904837e12bfea75e1868b4a038650c9b7ba4d0791b6993f0eef8e8147dbeddf |
| SHA512 | 430b73d9c5560d1e88439dc1bc8058effe529b8a5e61b24554f05cc18711c9c001c53b632df3f367dd53375553325b5da9679c7817abe6aa39037a604fc8a20f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3ce8195ccbff7a38a294a81d65563681 |
| SHA1 | 481190c81ac072a4cbc447de6ce74c7f5e760a8f |
| SHA256 | 6c1c415d2508df1b78e6b27c0b58c2231b38f6a7dcbd779ebb22b250ba28fab1 |
| SHA512 | 37b35103b580bd754fb92ddc80573336981dd2d8af302eda3152480ee405095b7e08653dc048fc77e07b9ed3c8d61afdd2621d0ab88f45887f2b8ad1986451b2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 686627ecb91d6088b247bbeb97d66164 |
| SHA1 | 2d937ca2c5cc73dff473018c9de7ac23bc01ca86 |
| SHA256 | 6076be22f516e4cdd5a93cace997ecda7021ee9dc094f999f4c0bfdb3b40fef2 |
| SHA512 | e7a78341aff15ec4d1ec647cbce8abdb0e5996fd9bc3dea835fe07833eb428a1119f1df47d33e367dc6de57f2edb1acb0a854f059385f3c45f67c9a85948500d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 521220c25cc3a10d4b5d773c708dac66 |
| SHA1 | 794fae00998b2cdb89d458fe30c4c196507adec2 |
| SHA256 | 4567e363d9ceb89107b791e47b6dca7bd07e6a594ea1aa0ffa771f81192a425d |
| SHA512 | a64a1a0722fea0f1ceea6061b2a01c5071858986fd4984fd556a310775705a25c8f3a88c1db4ae401a9c24d82d6d0247d385914bee3cdc3510ee5ddffe6ba057 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5e0aa1c12acf845d0944bd44496b9d26 |
| SHA1 | 0924b4bd8c9213db4ff65a293226d495158f09c3 |
| SHA256 | a37970493b0149597fce8590f7e25ae79d9732d21b5b1697b2e0b11a168b36d3 |
| SHA512 | a3c0a4b5c08f444962e33decb358578efe4e0aa797928a21aa1ed6bc6f346bd218ab7950944d4434555c45f43fd1172634710726947ad69a1d86811292598dd9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c9c4ac9745e730e76422a156aaf36877 |
| SHA1 | 8efb1c02bba03da75d1e35558556d1321355eae2 |
| SHA256 | 3df00273121c57753c13750f6c5bab31b61729e8158ab870d3de331a3904d5b8 |
| SHA512 | 1e0dee63e13acf651fb840bd3692b0254e250414b1d1567ca6a3c4b4f13a74ad63be1741ceb76b88aeb3773529161c91bbbe7c58cf54945e15277ba060a0300f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2a36d99f28febb23fff3fcc90e300a4c |
| SHA1 | 80d1a4100e87f4b2b02be019dc0adfafd50d7fcf |
| SHA256 | d9b86ce2745f18f90274cf3e02c9fcb13357b005b71393d06db4a8901e4e4acb |
| SHA512 | 89cdc0dc02ef6047fd8c89f34f5227b7ad83114856cbb6f357a55293af37107c9d31a229742a610c330bf3f16246789add3cded38130810b79edaa4285b8bd13 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ea69b1742e326ddac60ac016efcaba03 |
| SHA1 | edef882b4ade42fbf6a0ab447fd005030af87510 |
| SHA256 | 3985260e86bc04468d99f88f9eb2cded80dd9f10d1a7695237cfbdf55a1264ef |
| SHA512 | 3114bc3037476cef00cf960f2a74ceea88f7e75ebe556178d13e81b82782c4691a8063b79ec0741629d9269bfd9eaa09f3f91deb955d54aab037b7ad2ab91734 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4e6f1386f29c5c8b7f4353421a1ac47f |
| SHA1 | 7afd42105653fdc1b94e432c8e2cde7484a9f85b |
| SHA256 | 0b2fab9c131ea4c20e38c1d66ff83a4305550590a0e994473500baf0df683be1 |
| SHA512 | 707d7afe6aa4d1350ead47f29c0dba19c50b681d084304f14346fdafd10872247c0e275b1d5d12d0c1f8bce897d8472018492cbe2cc5b81f75971f686221eb89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a4718a7e332011d630e122d67ed248ba |
| SHA1 | 1d62b4318144ad770e9d47115cc7dfd2b1427673 |
| SHA256 | fa3c46f00b5df4fa689fbd59339263e9bc1a5f6b0323b01cc47f77ff6df2582a |
| SHA512 | c3e221a3ee5e2f40764147e3e32c9c10e691e0fe4e631f1fbf73d1ef2221ba1d8aaf289a4b81fcb100fd26fa74c24222df433504177828a68104e5a2684366a9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 23:03
Reported
2024-06-25 23:05
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
161s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\silent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\silent\\silent.exe" | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1588 set thread context of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dd3fmfjr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE616.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE615.tmp"
C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 12
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
memory/1588-0-0x00000000746A2000-0x00000000746A3000-memory.dmp
memory/1588-1-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/1588-2-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/1588-3-0x00000000746A2000-0x00000000746A3000-memory.dmp
memory/1588-4-0x00000000746A0000-0x0000000074C51000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\dd3fmfjr.cmdline
| MD5 | d08f6aedb240b80ec0d3a941ffcc550a |
| SHA1 | 063247313290c6d3de616d7c00c80d52c25e043d |
| SHA256 | 4a4fcf9a8a50f208b74d572513856f0ad38f55a1b98103b53efe94eb4c528360 |
| SHA512 | d248136d92c5cd28817cdd8647090a7c6dcb7bbef4b77c9a9928005d860cf16a3217cfb2d2d5b0898e6bf4b6d276510112264106cb67c14d384afebfd183ad6e |
memory/1588-9-0x00000000746A0000-0x0000000074C51000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\dd3fmfjr.0.cs
| MD5 | cb25540570735d26bf391e8b54579396 |
| SHA1 | 135651d49409214d21348bb879f7973384a7a8cb |
| SHA256 | 922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743 |
| SHA512 | 553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080 |
memory/4136-11-0x00000000746A0000-0x0000000074C51000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCE615.tmp
| MD5 | 78cac466e829d0040bce3352b98d4479 |
| SHA1 | 0bc61f4be9d3117ebe1877bfd5c5b158e68c0123 |
| SHA256 | 58d9792ffcae8236a0d2f9f758dcd7714da3033e29757e4fcd93f1f8efeaf5e4 |
| SHA512 | 4df5d94e42d6c78fb66fe1f07c80ff8df7ddd40e0df43e8507581ca25149ed3de3c720ba401233a81bc146a51d33250b7e000a754cafb77b847861b64469dfd9 |
C:\Users\Admin\AppData\Local\Temp\RESE616.tmp
| MD5 | 3ede7660940696941e68ef025290da8c |
| SHA1 | 2d510d41f5030e693d98147edfb94933fa499031 |
| SHA256 | c1a5b244808c1de69f559153f08378164082b6ac14c23d24172ca4e44cfaefad |
| SHA512 | 304bdb6be698e035fed72362c42d57bea561eff73480b69de0224b86891278fb4afd6ee031049bf9645b6afa06a7d26f9654364101a20323937a27eadc19d9d5 |
memory/4136-18-0x00000000746A0000-0x0000000074C51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dd3fmfjr.dll
| MD5 | e6c04ebbce998b77fb92883860152cea |
| SHA1 | 766ac31f99ba3c7e94ed1f7e84d1c347af87ff8b |
| SHA256 | 75a8a0d42c7eb0ecda1bf912f2271192dca0875c83137024410fede304e8599c |
| SHA512 | c2cd8cfd77efe81a685ac3a4239f8e9ed587b5202b5c978575c8c3eea8861c43d51f41bed8447010524a90973c5c176c7ce5742623fdc7a7ded0d87e9593e460 |
C:\Users\Admin\AppData\Roaming\0fdabdcf0044a7ab5def6b5791a6f7de_JaffaCakes118.exe
| MD5 | d89fdbb4172cee2b2f41033e62c677d6 |
| SHA1 | c1917b579551f0915f1a0a8e8e3c7a6809284e6b |
| SHA256 | 2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383 |
| SHA512 | 48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed |
memory/1588-26-0x00000000746A0000-0x0000000074C51000-memory.dmp