Analysis Overview
SHA256
bedf00dd91cdd0fdc2182d2fd67ea29ed428975be7b6de243c1ea81a3d9c92b1
Threat Level: Known bad
The file 2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 21:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 21:30
Reported
2024-07-04 21:32
Platform
win7-20240221-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1" | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe ARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe" | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe ARMS = "\\AdobeARM.exe" | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe ARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe" | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1312 set thread context of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe |
| PID 3000 set thread context of 2716 | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | C:\Users\Admin\AppData\Roaming\AdobeARM.exe |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
C:\Users\Admin\AppData\Roaming\AdobeARM.exe 388 "C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
"C:\Users\Admin\AppData\Roaming\AdobeARM.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
Files
memory/2776-0-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1312-5-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2776-7-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2776-4-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2776-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2776-8-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2776-9-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2776-10-0x0000000000400000-0x000000000048E000-memory.dmp
\Users\Admin\AppData\Roaming\AdobeARM.exe
| MD5 | 2647cac2fdf6f73ccf10caeda92b594f |
| SHA1 | d1d6e9548ed88bb03fe45b0d36572ee0f3c10ed5 |
| SHA256 | bedf00dd91cdd0fdc2182d2fd67ea29ed428975be7b6de243c1ea81a3d9c92b1 |
| SHA512 | 7e1d4360acd7dd059b6baf16eae25c3db4abba07f88ee43f7ce340adb5feff8e4fcf320bd7488e1e4e3a0e2f602d8b167623475c736fb503f71baff1381e0024 |
memory/2776-21-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2716-32-0x0000000000400000-0x000000000048E000-memory.dmp
memory/3000-33-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2716-34-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2716-31-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2716-38-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2716-37-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1212-35-0x0000000002EF0000-0x0000000002EF1000-memory.dmp
memory/2716-39-0x0000000000400000-0x000000000048E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 21:30
Reported
2024-07-04 21:32
Platform
win10v2004-20240704-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\patches = "1" | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe ARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe" | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe ARMS = "\\AdobeARM.exe" | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe ARMS = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.exe" | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3988 set thread context of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe |
| PID 2700 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | C:\Users\Admin\AppData\Roaming\AdobeARM.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\AdobeARM.exe |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeARM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 284
C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
C:\Users\Admin\AppData\Roaming\AdobeARM.exe 908 "C:\Users\Admin\AppData\Local\Temp\2647cac2fdf6f73ccf10caeda92b594f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2700 -ip 2700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 224
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
"C:\Users\Admin\AppData\Roaming\AdobeARM.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
| US | 8.8.8.8:53 | pccw.hopto.org | udp |
Files
memory/3988-1-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1252-3-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1252-4-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1252-5-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1252-6-0x0000000000400000-0x000000000048E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeARM.exe
| MD5 | 2647cac2fdf6f73ccf10caeda92b594f |
| SHA1 | d1d6e9548ed88bb03fe45b0d36572ee0f3c10ed5 |
| SHA256 | bedf00dd91cdd0fdc2182d2fd67ea29ed428975be7b6de243c1ea81a3d9c92b1 |
| SHA512 | 7e1d4360acd7dd059b6baf16eae25c3db4abba07f88ee43f7ce340adb5feff8e4fcf320bd7488e1e4e3a0e2f602d8b167623475c736fb503f71baff1381e0024 |
memory/1252-14-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2808-18-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2808-20-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2700-21-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2808-19-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2808-23-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2808-22-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2808-24-0x0000000000400000-0x000000000048E000-memory.dmp