Analysis Overview
SHA256
951ef36043f2a9addaf729c12f13a4a54b3f05f7920bd6355baee812a180834e
Threat Level: Likely malicious
The file 18db4def8cf842a587434c88a510ff5c_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Server Software Component: Terminal Services DLL
VMProtect packed file
Deletes itself
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 04:58
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 04:58
Reported
2024-06-28 05:00
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wind0ws\Parameters\ServiceDll = "C:\\Documents and Settings\\Local Server\\Windows.dll" | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\FuckYou.txt | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2136 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2136 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2136 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ZhuDongFangYu.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp |
Files
memory/2136-1-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2136-0-0x0000000000400000-0x000000000044E000-memory.dmp
\Users\Local Server\Windows.dll
| MD5 | 80a4c5145515fa4598a79b0eee864054 |
| SHA1 | 1320f79b650f9f4942292971cff5abef3ccebdb6 |
| SHA256 | 3307b3c7effb5d3154e40a6ea6525ffa06ca5f729cbf637ad421989b36f35c7c |
| SHA512 | 30281ea275de444c18a35e770b9c2b0c245ece2060880a855b08d21a2dd5e558eabfef6a26c5889160ebb2b6af5b9f9fada583b93131fec4d2b29979f4abf941 |
memory/2656-6-0x0000000010000000-0x000000001001E000-memory.dmp
memory/2136-4-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 04:58
Reported
2024-06-28 05:00
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
56s
Command Line
Signatures
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wind0ws\Parameters\ServiceDll = "C:\\Documents and Settings\\Local Server\\Windows.dll" | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\FuckYou.txt | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3156 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3156 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 3156 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18db4def8cf842a587434c88a510ff5c_JaffaCakes118.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im ZhuDongFangYu.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp | |
| N/A | 127.0.0.1:2010 | tcp |
Files
memory/3156-0-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3156-1-0x0000000000400000-0x000000000044E000-memory.dmp
\??\c:\documents and settings\local server\windows.dll
| MD5 | 80a4c5145515fa4598a79b0eee864054 |
| SHA1 | 1320f79b650f9f4942292971cff5abef3ccebdb6 |
| SHA256 | 3307b3c7effb5d3154e40a6ea6525ffa06ca5f729cbf637ad421989b36f35c7c |
| SHA512 | 30281ea275de444c18a35e770b9c2b0c245ece2060880a855b08d21a2dd5e558eabfef6a26c5889160ebb2b6af5b9f9fada583b93131fec4d2b29979f4abf941 |
memory/4268-6-0x0000000010000000-0x000000001001E000-memory.dmp
memory/3156-5-0x0000000000400000-0x000000000044E000-memory.dmp