Analysis Overview
SHA256
19a8bf385291d1e2f96febffe0a35cc4546cb2e1d677f4e786feabfe91fb67eb
Threat Level: Known bad
The file 0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Ramnit
Drops startup file
Checks BIOS information in registry
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 05:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 05:53
Reported
2024-06-25 05:55
Platform
win7-20231129-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\xjpjduwv\\gphvnugj.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Ramnit
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gphvnugj.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gphvnugj.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xuftpwisvouqawgq.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\GphVnugj = "C:\\Users\\Admin\\AppData\\Local\\xjpjduwv\\gphvnugj.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xuftpwisvouqawgq.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xuftpwisvouqawgq.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Local\Temp\xuftpwisvouqawgq.exe
"C:\Users\Admin\AppData\Local\Temp\xuftpwisvouqawgq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | ykglqsbgjbxsja.com | udp |
| US | 8.8.8.8:53 | iwdshywjrvggnqohg.com | udp |
| US | 8.8.8.8:53 | aftfjuclhvdubfeuqs.com | udp |
| US | 8.8.8.8:53 | bjmwcmpyrghf.com | udp |
| US | 8.8.8.8:53 | fcajmvxrd.com | udp |
| US | 8.8.8.8:53 | dssuxhidrapxvcxmqvo.com | udp |
| US | 8.8.8.8:53 | ijwjkcdpbueqq.com | udp |
| US | 8.8.8.8:53 | lsvxqptfxfehhprpuj.com | udp |
| US | 8.8.8.8:53 | afgfevmeplavvi.com | udp |
| US | 8.8.8.8:53 | isxvhiqqlflxicdno.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| DE | 46.165.220.152:443 | aftfjuclhvdubfeuqs.com | tcp |
| DE | 46.165.220.152:443 | aftfjuclhvdubfeuqs.com | tcp |
| DE | 195.201.179.207:443 | dssuxhidrapxvcxmqvo.com | tcp |
| IE | 34.253.216.9:443 | ykglqsbgjbxsja.com | tcp |
| US | 162.249.65.228:443 | fcajmvxrd.com | tcp |
| US | 8.8.8.8:53 | wyvxmxnkkibgdxhv.com | udp |
| US | 8.8.8.8:53 | imuqnrtccpissbmefte.com | udp |
| US | 8.8.8.8:53 | evolxbnmxnighbhpbw.com | udp |
| US | 8.8.8.8:53 | ygisojwewdsirmo.com | udp |
| US | 8.8.8.8:53 | tbtvpgng.com | udp |
| US | 8.8.8.8:53 | aykibilkbvufrevib.com | udp |
| US | 8.8.8.8:53 | jlwnwcwbp.com | udp |
| US | 8.8.8.8:53 | fimntlxswx.com | udp |
| US | 8.8.8.8:53 | hgydiduewiltga.com | udp |
| US | 8.8.8.8:53 | dedbtgnilfqq.com | udp |
| US | 8.8.8.8:53 | kxusdydywsppkdtlxws.com | udp |
| US | 8.8.8.8:53 | psjldypo.com | udp |
| US | 8.8.8.8:53 | yvqebqmd.com | udp |
| US | 8.8.8.8:53 | rbartdeguauwfnmuf.com | udp |
| RU | 82.112.184.197:443 | rbartdeguauwfnmuf.com | tcp |
| US | 8.8.8.8:53 | jbeqyjlvjqbmq.com | udp |
| US | 8.8.8.8:53 | jpuityvakjgg.com | udp |
| US | 8.8.8.8:53 | xdgeivuswhon.com | udp |
| US | 8.8.8.8:53 | wbmpvebw.com | udp |
| US | 8.8.8.8:53 | sqhmkesvsraquihx.com | udp |
| US | 8.8.8.8:53 | jrkjiooayfdqehmolap.com | udp |
| US | 8.8.8.8:53 | vrrkcmgm.com | udp |
| US | 8.8.8.8:53 | xmjmlxiibhblorc.com | udp |
| US | 8.8.8.8:53 | dakqyppswmvuyncbis.com | udp |
| US | 8.8.8.8:53 | ywrskdunkqgkikfv.com | udp |
| US | 8.8.8.8:53 | dvfturrpb.com | udp |
| US | 8.8.8.8:53 | tschqwwyck.com | udp |
| US | 8.8.8.8:53 | jfvabcgsouslpimik.com | udp |
| US | 8.8.8.8:53 | spenoiqcbsymgptcj.com | udp |
| US | 8.8.8.8:53 | uwoxkmwul.com | udp |
| US | 8.8.8.8:53 | rrnlbwklkfmlllveh.com | udp |
| US | 8.8.8.8:53 | ypropjjqlnq.com | udp |
| US | 8.8.8.8:53 | tfguhidoew.com | udp |
| US | 8.8.8.8:53 | hfomcijpsxnry.com | udp |
| US | 8.8.8.8:53 | ulgdnhsejsmcottuod.com | udp |
| US | 8.8.8.8:53 | kpsfabxdwbvv.com | udp |
| US | 8.8.8.8:53 | twcdgtvl.com | udp |
| US | 8.8.8.8:53 | gswcjhdhgkjnvkent.com | udp |
| US | 8.8.8.8:53 | fdijucnvsfvpel.com | udp |
| US | 8.8.8.8:53 | mevofemqreinlirk.com | udp |
| US | 8.8.8.8:53 | cugxojvumi.com | udp |
| US | 8.8.8.8:53 | uxasdaxjiqrk.com | udp |
| US | 8.8.8.8:53 | uqlmkgtnofmabnpwhj.com | udp |
| US | 8.8.8.8:53 | pgtbvvjadweh.com | udp |
| US | 8.8.8.8:53 | pkfrnnsvab.com | udp |
| US | 8.8.8.8:53 | uvptsjqdvxkjsca.com | udp |
| US | 8.8.8.8:53 | pbbvkscdfqmx.com | udp |
| US | 8.8.8.8:53 | jkvkigmtstgh.com | udp |
| US | 8.8.8.8:53 | ruiwjxtgflljp.com | udp |
| US | 8.8.8.8:53 | wcbpdfpgwffjs.com | udp |
| US | 8.8.8.8:53 | qtlmbubna.com | udp |
| US | 8.8.8.8:53 | uoctajwdjlqltbf.com | udp |
| US | 8.8.8.8:53 | nrfronglu.com | udp |
| US | 8.8.8.8:53 | kegnvjtiowifoavcb.com | udp |
| US | 8.8.8.8:53 | iwtkdxsmu.com | udp |
| US | 8.8.8.8:53 | mrtksmcwd.com | udp |
| US | 8.8.8.8:53 | ktfejmafpmubmis.com | udp |
| US | 8.8.8.8:53 | guvdavhwoylcb.com | udp |
| US | 8.8.8.8:53 | vhhbenjngfkdqqrxyef.com | udp |
| IE | 34.253.216.9:443 | vhhbenjngfkdqqrxyef.com | tcp |
| US | 8.8.8.8:53 | squstnyywumup.com | udp |
| US | 8.8.8.8:53 | adhymefcryqjfsg.com | udp |
| US | 8.8.8.8:53 | ysvsagwfr.com | udp |
| US | 8.8.8.8:53 | qhlhsaytjeaorx.com | udp |
| US | 8.8.8.8:53 | rubyscoeicm.com | udp |
| US | 8.8.8.8:53 | gwqqcthftcngyt.com | udp |
| US | 8.8.8.8:53 | hvkhytpydqm.com | udp |
| US | 8.8.8.8:53 | wodrfdxakskqdurgg.com | udp |
| US | 8.8.8.8:53 | qlpuekmxibf.com | udp |
| US | 8.8.8.8:53 | xwbjkvtdmufmf.com | udp |
| US | 8.8.8.8:53 | ksdrwalv.com | udp |
| US | 8.8.8.8:53 | dusxnqcoykl.com | udp |
| US | 8.8.8.8:53 | fbbntdkljkvb.com | udp |
| US | 8.8.8.8:53 | xablgjgqpfayxcoan.com | udp |
| US | 8.8.8.8:53 | lnwdxoqoqxtxxdgs.com | udp |
| US | 8.8.8.8:53 | xlpmvmcaoppokdcldc.com | udp |
| US | 8.8.8.8:53 | aqyycusxpiyphgqt.com | udp |
| US | 8.8.8.8:53 | vajskiyluwh.com | udp |
| US | 8.8.8.8:53 | fmxkhwlbsvjic.com | udp |
| US | 8.8.8.8:53 | bxqvcimgcaepkubgi.com | udp |
| US | 8.8.8.8:53 | mnnbfmkccrlacrpi.com | udp |
| US | 8.8.8.8:53 | emwdrbwapescxix.com | udp |
| US | 8.8.8.8:53 | rwptujecxf.com | udp |
| US | 8.8.8.8:53 | jdonpdfvw.com | udp |
| US | 8.8.8.8:53 | bxnopdkka.com | udp |
| US | 8.8.8.8:53 | vixqwtroi.com | udp |
| US | 8.8.8.8:53 | ocjsqbqoyjlavan.com | udp |
| US | 8.8.8.8:53 | ssvducwu.com | udp |
| US | 8.8.8.8:53 | jstxomkn.com | udp |
| US | 8.8.8.8:53 | irgpjqkcojxabjs.com | udp |
| US | 8.8.8.8:53 | uxvbhdtbhth.com | udp |
| US | 8.8.8.8:53 | epwbonwkmcvjunodvf.com | udp |
| US | 8.8.8.8:53 | yxqcwilaughqrxxhuv.com | udp |
| US | 8.8.8.8:53 | roukwtmdvelyea.com | udp |
| US | 8.8.8.8:53 | wwwlridhcphwak.com | udp |
| US | 8.8.8.8:53 | hmuhvsjjl.com | udp |
| US | 8.8.8.8:53 | vuhvdkvo.com | udp |
| US | 8.8.8.8:53 | jltqngrgikawpnoji.com | udp |
| US | 8.8.8.8:53 | ckbytyyandmpgyuojl.com | udp |
| US | 8.8.8.8:53 | gyaxrikstdwtkai.com | udp |
| US | 8.8.8.8:53 | wybypnnefwrnijmr.com | udp |
| US | 8.8.8.8:53 | rnxlvwchep.com | udp |
| US | 8.8.8.8:53 | vytiwhwdomibkisctq.com | udp |
| US | 8.8.8.8:53 | oijkhgcahdwyixo.com | udp |
| US | 8.8.8.8:53 | nwynfhre.com | udp |
| US | 8.8.8.8:53 | gfyysdjdftm.com | udp |
| US | 8.8.8.8:53 | pchlbfwusr.com | udp |
| US | 8.8.8.8:53 | celnjqtqkgxsccabmj.com | udp |
| US | 8.8.8.8:53 | vsmtiytrcacrgcj.com | udp |
| US | 8.8.8.8:53 | rjdirngskatrtg.com | udp |
| US | 8.8.8.8:53 | ddeqsgsws.com | udp |
| US | 8.8.8.8:53 | ruvbymubogvlllkyaji.com | udp |
| US | 8.8.8.8:53 | musdeyejbcbkse.com | udp |
| US | 8.8.8.8:53 | ptddbyopodpanxbu.com | udp |
| US | 8.8.8.8:53 | qisgxhcl.com | udp |
| US | 8.8.8.8:53 | djtftjakyiqfn.com | udp |
| US | 8.8.8.8:53 | jsrdpgvmu.com | udp |
| US | 8.8.8.8:53 | amhqfywanwiip.com | udp |
| US | 8.8.8.8:53 | hwgcksenffubhwqmdal.com | udp |
| US | 8.8.8.8:53 | hqepovopfoskaf.com | udp |
| US | 8.8.8.8:53 | vyhxatulmuaxvexjv.com | udp |
| US | 8.8.8.8:53 | kbchmynenfcuktfxa.com | udp |
| US | 8.8.8.8:53 | andeyvgrdmcuhdmwkd.com | udp |
| US | 8.8.8.8:53 | fboymydk.com | udp |
| US | 8.8.8.8:53 | aqjwtguuxc.com | udp |
| US | 8.8.8.8:53 | bnduajijjnyjowost.com | udp |
| US | 8.8.8.8:53 | slkfbshuoru.com | udp |
| US | 8.8.8.8:53 | exjijcjhjlatkplnfol.com | udp |
| US | 8.8.8.8:53 | irypcpym.com | udp |
| US | 8.8.8.8:53 | ujyprlpoxwwshj.com | udp |
| US | 8.8.8.8:53 | fkdrsgjjroodh.com | udp |
| US | 8.8.8.8:53 | mvtaudrockn.com | udp |
| US | 8.8.8.8:53 | dajxhcddxoyp.com | udp |
| US | 8.8.8.8:53 | picaqhesd.com | udp |
| US | 8.8.8.8:53 | eelepdsrwmggiilpaq.com | udp |
| US | 8.8.8.8:53 | aalhoqwtompx.com | udp |
| US | 8.8.8.8:53 | ukpamxcqknbrwtxeon.com | udp |
| US | 8.8.8.8:53 | hbuqmyrrpoqmybl.com | udp |
| US | 8.8.8.8:53 | vupepgfagso.com | udp |
| US | 8.8.8.8:53 | epwnqeghafyocr.com | udp |
| US | 8.8.8.8:53 | mmfahqrmftuu.com | udp |
| US | 8.8.8.8:53 | rdxcvejik.com | udp |
| US | 8.8.8.8:53 | cwpppiblxarfcmqoym.com | udp |
| US | 8.8.8.8:53 | tfudlnro.com | udp |
| US | 8.8.8.8:53 | baywsfsemlttpsj.com | udp |
| US | 8.8.8.8:53 | psnylopyt.com | udp |
| US | 8.8.8.8:53 | rntqtgcqnc.com | udp |
| US | 8.8.8.8:53 | gflyifvtyuarn.com | udp |
| US | 8.8.8.8:53 | udauindm.com | udp |
| US | 8.8.8.8:53 | dwerjnnkpfbmdfeuwby.com | udp |
| US | 8.8.8.8:53 | kiggwewecpyimvup.com | udp |
| US | 8.8.8.8:53 | qbbroaeamomeoqgsxuc.com | udp |
| US | 8.8.8.8:53 | qocdtgtkl.com | udp |
| US | 8.8.8.8:53 | mjrittpmk.com | udp |
| US | 8.8.8.8:53 | iedttkfpokhgfclsk.com | udp |
| US | 8.8.8.8:53 | jdjcpnuhmiimsalkwdf.com | udp |
| US | 8.8.8.8:53 | gjnjaevyntcjkdemqa.com | udp |
| US | 8.8.8.8:53 | tjtabrbfk.com | udp |
| US | 8.8.8.8:53 | yelwnmiuvoqhqi.com | udp |
| US | 8.8.8.8:53 | dmhvburtxot.com | udp |
| US | 8.8.8.8:53 | svdyfsdeyawxhxn.com | udp |
| US | 8.8.8.8:53 | irulbexujsaskp.com | udp |
| US | 8.8.8.8:53 | nnsnaaqivnbtouvdaxv.com | udp |
| US | 8.8.8.8:53 | kwqfxbogu.com | udp |
| US | 8.8.8.8:53 | xowgbwpurkrbdaoweh.com | udp |
| US | 8.8.8.8:53 | xopkmvijckajixcnu.com | udp |
| US | 8.8.8.8:53 | xyshvidiova.com | udp |
| US | 8.8.8.8:53 | xhxribeneigukhyeaxj.com | udp |
| US | 8.8.8.8:53 | anhdpsualxmxqrbne.com | udp |
| US | 8.8.8.8:53 | ydviihefckogxwqhrla.com | udp |
| US | 8.8.8.8:53 | ujvdgbtkowj.com | udp |
| US | 8.8.8.8:53 | gyxdoppqvsy.com | udp |
| US | 8.8.8.8:53 | llcpbelxf.com | udp |
| US | 8.8.8.8:53 | fxflcqdiilffuhwmvn.com | udp |
| US | 8.8.8.8:53 | bbdtowayyw.com | udp |
| US | 8.8.8.8:53 | oswgbooxfmqeejem.com | udp |
| US | 8.8.8.8:53 | xkchipoapyp.com | udp |
| US | 8.8.8.8:53 | lwrrvrebt.com | udp |
| US | 8.8.8.8:53 | ijxgwfuxvgoks.com | udp |
| US | 8.8.8.8:53 | qivurbqwxv.com | udp |
| US | 8.8.8.8:53 | cuagwiain.com | udp |
| US | 8.8.8.8:53 | umwwjriucoa.com | udp |
| US | 8.8.8.8:53 | nioidweriaxmwa.com | udp |
| US | 8.8.8.8:53 | mskifyvnjgjlbe.com | udp |
| US | 8.8.8.8:53 | iavfuykg.com | udp |
| US | 8.8.8.8:53 | celiwgodhgcwknkot.com | udp |
| US | 8.8.8.8:53 | qfoulraymhyds.com | udp |
| US | 8.8.8.8:53 | sjtklvpttgogitvptca.com | udp |
| US | 8.8.8.8:53 | qjqykmyd.com | udp |
| US | 8.8.8.8:53 | nvplxmxnnfsrmjk.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:80 | google.com | tcp |
Files
memory/1108-0-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe
| MD5 | f71fbb1f80eb18d999ebf7523c245afd |
| SHA1 | b498b16f05362c69a4de7a9820a6ead7c4af3735 |
| SHA256 | fdc2a8b0fd518ad4573b2b51b189ee22d7bcf903458ee7468f9fece27bce0e7f |
| SHA512 | f0e8c10d8784d12b26c2c470a927b35d4f69d7a5662d31b0cc83519da1544a2cae19522ea9534d9437fdc2e1219eac79586ff4858bd223ea908784b12f28c48b |
memory/1108-10-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/1108-9-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/2740-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2740-13-0x0000000000240000-0x0000000000242000-memory.dmp
memory/2740-12-0x0000000000400000-0x0000000000437B80-memory.dmp
memory/2740-16-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2740-17-0x0000000000400000-0x0000000000437B80-memory.dmp
memory/1108-18-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2384-22-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2384-20-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2384-26-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2384-32-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2384-31-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2384-30-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2384-35-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2384-34-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2868-38-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2384-33-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2740-44-0x00000000773CF000-0x00000000773D0000-memory.dmp
memory/2868-45-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-55-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-61-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-54-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-67-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-62-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2740-76-0x0000000002950000-0x0000000002988000-memory.dmp
memory/2740-89-0x0000000002950000-0x0000000002988000-memory.dmp
memory/2740-88-0x0000000002950000-0x0000000002988000-memory.dmp
memory/2740-87-0x0000000002950000-0x0000000002988000-memory.dmp
memory/2740-92-0x0000000000400000-0x0000000000437B80-memory.dmp
memory/2740-91-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2508-94-0x0000000000400000-0x0000000000437B80-memory.dmp
memory/2508-98-0x0000000000400000-0x0000000000437B80-memory.dmp
memory/2868-99-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-100-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-101-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-102-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-103-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-104-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-105-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-106-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-107-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2868-108-0x0000000020010000-0x0000000020023000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 05:53
Reported
2024-06-25 05:55
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1428 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe |
| PID 1428 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe |
| PID 1428 wrote to memory of 3516 | N/A | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3516 -ip 3516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 484
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/1428-0-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0ce693e05dec6245b7435a024fcd36b2_JaffaCakes118mgr.exe
| MD5 | f71fbb1f80eb18d999ebf7523c245afd |
| SHA1 | b498b16f05362c69a4de7a9820a6ead7c4af3735 |
| SHA256 | fdc2a8b0fd518ad4573b2b51b189ee22d7bcf903458ee7468f9fece27bce0e7f |
| SHA512 | f0e8c10d8784d12b26c2c470a927b35d4f69d7a5662d31b0cc83519da1544a2cae19522ea9534d9437fdc2e1219eac79586ff4858bd223ea908784b12f28c48b |
memory/3516-5-0x0000000000400000-0x0000000000437B80-memory.dmp
memory/3516-7-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1428-6-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3516-8-0x0000000000400000-0x0000000000437B80-memory.dmp