Malware Analysis Report

2025-01-03 08:13

Sample ID 240704-ktap9sshpq
Target 2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118
SHA256 83687b2ce96cb5425e6649be9b6b018e2286b88b1489be2a5102d9f744cd9c5a
Tags
metasploit backdoor evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83687b2ce96cb5425e6649be9b6b018e2286b88b1489be2a5102d9f744cd9c5a

Threat Level: Known bad

The file 2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence spyware stealer trojan

MetaSploit

Disables taskbar notifications via registry modification

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Adds Run key to start application

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 08:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 08:53

Reported

2024-07-04 08:55

Platform

win7-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hfklgv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hfxtc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\rns.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rns.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\ = "Application" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command C:\Users\Admin\AppData\Local\rns.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" C:\Users\Admin\AppData\Local\rns.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rns.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\ = "exefile" C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\ = "Application" C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\rns.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open C:\Users\Admin\AppData\Local\rns.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rns.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\rns.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfklgv.exe
PID 2176 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfklgv.exe
PID 2176 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfklgv.exe
PID 2176 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfklgv.exe
PID 2176 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfxtc.exe
PID 2176 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfxtc.exe
PID 2176 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfxtc.exe
PID 2176 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hfxtc.exe
PID 2204 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\hfklgv.exe C:\Users\Admin\AppData\Local\rns.exe
PID 2204 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\hfklgv.exe C:\Users\Admin\AppData\Local\rns.exe
PID 2204 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\hfklgv.exe C:\Users\Admin\AppData\Local\rns.exe
PID 2204 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\hfklgv.exe C:\Users\Admin\AppData\Local\rns.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hfklgv.exe

C:\Users\Admin\AppData\Local\Temp\hfklgv.exe

C:\Users\Admin\AppData\Local\Temp\hfxtc.exe

C:\Users\Admin\AppData\Local\Temp\hfxtc.exe

C:\Users\Admin\AppData\Local\rns.exe

"C:\Users\Admin\AppData\Local\rns.exe" -gav C:\Users\Admin\AppData\Local\Temp\hfklgv.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
PL 195.14.112.138:80 tcp
US 8.8.8.8:53 nipygevydor.com udp
US 8.8.8.8:53 sumywygifi.com udp
US 8.8.8.8:53 pogavoliqamyb.com udp
US 8.8.8.8:53 xijifilunaq.com udp
US 8.8.8.8:53 fakiwijow.com udp
US 8.8.8.8:53 qehynytezyn.com udp
US 8.8.8.8:53 ryqixafumigeqe.com udp
US 8.8.8.8:53 bodylarozityd.com udp
US 8.8.8.8:53 dotecukihilavy.com udp
US 8.8.8.8:53 zyfovubyv.com udp
US 8.8.8.8:53 qiculeqity.com udp
US 8.8.8.8:53 xojalyfudux.com udp
US 8.8.8.8:53 tewitavubu.com udp
US 8.8.8.8:53 sewibonypar.com udp
US 8.8.8.8:53 wipujuvajyr.com udp
US 8.8.8.8:53 socihizizacowo.com udp
US 8.8.8.8:53 jicohewihihot.com udp
US 8.8.8.8:53 daralytagyc.com udp
US 8.8.8.8:53 tygemimarowic.com udp
US 8.8.8.8:53 poquwaluj.com udp
US 8.8.8.8:53 tyfifopojax.com udp
US 8.8.8.8:53 pududigulerewy.com udp
US 8.8.8.8:53 timypahisoxur.com udp
US 8.8.8.8:53 jafuwadycylew.com udp
US 8.8.8.8:53 wygehasunupi.com udp
US 8.8.8.8:53 xofokusutecyd.com udp
US 8.8.8.8:53 gofegucobeqevi.com udp
US 8.8.8.8:53 hiqalotajadyfa.com udp
US 8.8.8.8:53 wywenybazyxyq.com udp
US 8.8.8.8:53 jiqixylexut.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 20.231.239.246:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.236.44.162:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
US 8.8.8.8:53 mixolyzegito.com udp
US 8.8.8.8:53 fehosoxukyk.com udp
PL 195.14.112.138:80 tcp
US 8.8.8.8:53 lofocigeced.com udp
US 8.8.8.8:53 bipojizikagec.com udp
US 8.8.8.8:53 sonewenazo.com udp
PL 195.14.112.139:80 tcp
US 8.8.8.8:53 warupegacotate.com udp
US 8.8.8.8:53 zenybijywyrade.com udp
US 8.8.8.8:53 rohyjikyf.com udp
US 8.8.8.8:53 dexiwotenelex.com udp
PL 195.14.112.139:80 tcp
US 8.8.8.8:53 noqukadifoxe.com udp
US 8.8.8.8:53 fudejivuqaran.com udp
US 8.8.8.8:53 mijynujidyl.com udp
US 8.8.8.8:53 cilywelohy.com udp
US 8.8.8.8:53 wobyfyvovafew.com udp
US 8.8.8.8:53 lopibobuheqixi.com udp
US 8.8.8.8:53 nevehaqyxixocu.com udp
US 8.8.8.8:53 wewibolyxov.com udp
US 8.8.8.8:53 vivigozymekox.com udp
US 8.8.8.8:53 qyzywapoz.com udp
US 8.8.8.8:53 pozimetycurenu.com udp
US 8.8.8.8:53 jyxyvikujeq.com udp
US 8.8.8.8:53 zutiqasinexoq.com udp
US 8.8.8.8:53 taxigibyz.com udp

Files

\Users\Admin\AppData\Local\Temp\hfklgv.exe

MD5 0cd854e4380de181951372c320136919
SHA1 89502a6befb16d498f61f57215baccebd717e567
SHA256 64778c6aac868f7e8045eebae2ca46fa1055e72e8f704e22af1cf578483000fd
SHA512 3d992c53057d106d5b3dee4344520c30080c27db913fc1416d5765a7d97845d27fa73f9f377c31e959defba2c87f5d18592479a5d0b1caf085f10ed260b2fc93

\Users\Admin\AppData\Local\Temp\hfxtc.exe

MD5 8c2b92f4501cdf89da5cc423f15637c3
SHA1 0c00cf4333ac32e1a67a03c5fcd0901f62457748
SHA256 042789f89758454e8e4d3dbb791950ac1b96d58f0d0d7d5df3eba11d0f878750
SHA512 d782ae851dc1f68f14fb0b40ef1a42e916fd289cc21cc1352396592282db20ac49dc8833c424c4cf3be35401e188f8575abeed518719fa89638af4a7a4e05adb

memory/2204-13-0x00000000003D0000-0x00000000003DB000-memory.dmp

memory/2204-14-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2204-16-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2204-15-0x0000000000401000-0x00000000005F0000-memory.dmp

memory/2808-17-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2808-18-0x0000000000320000-0x0000000000342000-memory.dmp

memory/2808-23-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2204-33-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2204-32-0x0000000000401000-0x00000000005F0000-memory.dmp

memory/2808-35-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2768-36-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-38-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-40-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-42-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-44-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-49-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-51-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-54-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-55-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-56-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-57-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2768-58-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/2644-59-0x0000000002670000-0x0000000002680000-memory.dmp

memory/2768-60-0x0000000000400000-0x00000000005F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 08:53

Reported

2024-07-04 08:55

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ktdlmfj.exe

C:\Users\Admin\AppData\Local\Temp\ktdlmfj.exe

C:\Users\Admin\AppData\Local\Temp\apme.exe

C:\Users\Admin\AppData\Local\Temp\apme.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
PL 195.14.112.138:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
GB 184.28.176.75:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 75.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
PL 195.14.112.139:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ktdlmfj.exe

MD5 0cd854e4380de181951372c320136919
SHA1 89502a6befb16d498f61f57215baccebd717e567
SHA256 64778c6aac868f7e8045eebae2ca46fa1055e72e8f704e22af1cf578483000fd
SHA512 3d992c53057d106d5b3dee4344520c30080c27db913fc1416d5765a7d97845d27fa73f9f377c31e959defba2c87f5d18592479a5d0b1caf085f10ed260b2fc93

C:\Users\Admin\AppData\Local\Temp\apme.exe

MD5 8c2b92f4501cdf89da5cc423f15637c3
SHA1 0c00cf4333ac32e1a67a03c5fcd0901f62457748
SHA256 042789f89758454e8e4d3dbb791950ac1b96d58f0d0d7d5df3eba11d0f878750
SHA512 d782ae851dc1f68f14fb0b40ef1a42e916fd289cc21cc1352396592282db20ac49dc8833c424c4cf3be35401e188f8575abeed518719fa89638af4a7a4e05adb

memory/1916-9-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/1916-11-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/1916-10-0x0000000000401000-0x00000000005F0000-memory.dmp

memory/1916-8-0x0000000000770000-0x000000000077B000-memory.dmp

memory/4508-12-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4508-13-0x0000000000190000-0x00000000001B2000-memory.dmp

memory/4508-18-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1916-19-0x0000000000400000-0x00000000005F7000-memory.dmp

memory/1916-21-0x0000000000401000-0x00000000005F0000-memory.dmp