Analysis Overview
SHA256
da456185d5879d75d08c149b51b5b1c7a4efea4cccf54c45643f34a1db6d0a1b
Threat Level: Likely benign
The file 14027e0ce5802da4aee2de0b0c6bc5c5_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Hide Artifacts: Hidden Files and Directories
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 00:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 00:19
Reported
2024-06-27 00:22
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\14027e0ce5802da4aee2de0b0c6bc5c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14027e0ce5802da4aee2de0b0c6bc5c5_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp40979.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp40979.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp65849.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp65849.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp40979.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp40979.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp40979.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp65849.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp65849.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp40979.bat
| MD5 | af4c5148313412b65d3f3bc11152a61e |
| SHA1 | 168576b06e3d00655755366f66a0d1173b9eb806 |
| SHA256 | 0c91e4ffba38ed02fb5a2ef3bd47a2f1faeaa2e07c007741cdc71311e8dbfeb7 |
| SHA512 | 942a3df52e8b315a9e1a34c7c681eb36934465ae1281b6575cca334a0152dc5ccf8c0d5e8b3e8fc23c24ebabeed447d5686e627af88cce600d594c0feb2e243b |
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp65849.exe
| MD5 | 3c52638971ead82b5929d605c1314ee0 |
| SHA1 | 7318148a40faca203ac402dff51bbb04e638545c |
| SHA256 | 5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab |
| SHA512 | 46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 00:19
Reported
2024-06-27 00:22
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
132s
Command Line
Signatures
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\14027e0ce5802da4aee2de0b0c6bc5c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14027e0ce5802da4aee2de0b0c6bc5c5_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp44355.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp44355.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp80055.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp80055.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp44355.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp44355.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp44355.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp80055.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp80055.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp44355.bat
| MD5 | ae1c6565f6b0e9ef871ca43416ac8c57 |
| SHA1 | 43539d1673515010b715271874b8fc9d51ba8ea4 |
| SHA256 | 9fa1bf8c8b5b62efbc392df5d47030055b0c39c73b70c9f2edddc0eb46cc8a6f |
| SHA512 | 4e64e902d3c13b21adedbae0a133588ff948d60d18752fb4ee3ac04f31e39362d3dbc978467461763c17f243f435902806ada8b8b4c47b226b9a442d628241aa |
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp80055.exe
| MD5 | 3c52638971ead82b5929d605c1314ee0 |
| SHA1 | 7318148a40faca203ac402dff51bbb04e638545c |
| SHA256 | 5614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab |
| SHA512 | 46f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b |