Analysis Overview
SHA256
83687b2ce96cb5425e6649be9b6b018e2286b88b1489be2a5102d9f744cd9c5a
Threat Level: Known bad
The file 2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Disables taskbar notifications via registry modification
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Adds Run key to start application
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 08:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 08:53
Reported
2024-07-04 08:55
Platform
win7-20240611-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
MetaSploit
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfxtc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rns.exe\" -a \"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\ = "Application" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\DefaultIcon | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rns.exe\" -a \"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\ = "exefile" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\ = "Application" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rns.exe\" -a \"%1\" %*" | C:\Users\Admin\AppData\Local\rns.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hfklgv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rns.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\hfklgv.exe
C:\Users\Admin\AppData\Local\Temp\hfklgv.exe
C:\Users\Admin\AppData\Local\Temp\hfxtc.exe
C:\Users\Admin\AppData\Local\Temp\hfxtc.exe
C:\Users\Admin\AppData\Local\rns.exe
"C:\Users\Admin\AppData\Local\rns.exe" -gav C:\Users\Admin\AppData\Local\Temp\hfklgv.exe
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| PL | 195.14.112.138:80 | tcp | |
| US | 8.8.8.8:53 | nipygevydor.com | udp |
| US | 8.8.8.8:53 | sumywygifi.com | udp |
| US | 8.8.8.8:53 | pogavoliqamyb.com | udp |
| US | 8.8.8.8:53 | xijifilunaq.com | udp |
| US | 8.8.8.8:53 | fakiwijow.com | udp |
| US | 8.8.8.8:53 | qehynytezyn.com | udp |
| US | 8.8.8.8:53 | ryqixafumigeqe.com | udp |
| US | 8.8.8.8:53 | bodylarozityd.com | udp |
| US | 8.8.8.8:53 | dotecukihilavy.com | udp |
| US | 8.8.8.8:53 | zyfovubyv.com | udp |
| US | 8.8.8.8:53 | qiculeqity.com | udp |
| US | 8.8.8.8:53 | xojalyfudux.com | udp |
| US | 8.8.8.8:53 | tewitavubu.com | udp |
| US | 8.8.8.8:53 | sewibonypar.com | udp |
| US | 8.8.8.8:53 | wipujuvajyr.com | udp |
| US | 8.8.8.8:53 | socihizizacowo.com | udp |
| US | 8.8.8.8:53 | jicohewihihot.com | udp |
| US | 8.8.8.8:53 | daralytagyc.com | udp |
| US | 8.8.8.8:53 | tygemimarowic.com | udp |
| US | 8.8.8.8:53 | poquwaluj.com | udp |
| US | 8.8.8.8:53 | tyfifopojax.com | udp |
| US | 8.8.8.8:53 | pududigulerewy.com | udp |
| US | 8.8.8.8:53 | timypahisoxur.com | udp |
| US | 8.8.8.8:53 | jafuwadycylew.com | udp |
| US | 8.8.8.8:53 | wygehasunupi.com | udp |
| US | 8.8.8.8:53 | xofokusutecyd.com | udp |
| US | 8.8.8.8:53 | gofegucobeqevi.com | udp |
| US | 8.8.8.8:53 | hiqalotajadyfa.com | udp |
| US | 8.8.8.8:53 | wywenybazyxyq.com | udp |
| US | 8.8.8.8:53 | jiqixylexut.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.231.239.246:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| US | 20.231.239.246:80 | microsoft.com | tcp |
| US | 20.236.44.162:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | mixolyzegito.com | udp |
| US | 8.8.8.8:53 | fehosoxukyk.com | udp |
| PL | 195.14.112.138:80 | tcp | |
| US | 8.8.8.8:53 | lofocigeced.com | udp |
| US | 8.8.8.8:53 | bipojizikagec.com | udp |
| US | 8.8.8.8:53 | sonewenazo.com | udp |
| PL | 195.14.112.139:80 | tcp | |
| US | 8.8.8.8:53 | warupegacotate.com | udp |
| US | 8.8.8.8:53 | zenybijywyrade.com | udp |
| US | 8.8.8.8:53 | rohyjikyf.com | udp |
| US | 8.8.8.8:53 | dexiwotenelex.com | udp |
| PL | 195.14.112.139:80 | tcp | |
| US | 8.8.8.8:53 | noqukadifoxe.com | udp |
| US | 8.8.8.8:53 | fudejivuqaran.com | udp |
| US | 8.8.8.8:53 | mijynujidyl.com | udp |
| US | 8.8.8.8:53 | cilywelohy.com | udp |
| US | 8.8.8.8:53 | wobyfyvovafew.com | udp |
| US | 8.8.8.8:53 | lopibobuheqixi.com | udp |
| US | 8.8.8.8:53 | nevehaqyxixocu.com | udp |
| US | 8.8.8.8:53 | wewibolyxov.com | udp |
| US | 8.8.8.8:53 | vivigozymekox.com | udp |
| US | 8.8.8.8:53 | qyzywapoz.com | udp |
| US | 8.8.8.8:53 | pozimetycurenu.com | udp |
| US | 8.8.8.8:53 | jyxyvikujeq.com | udp |
| US | 8.8.8.8:53 | zutiqasinexoq.com | udp |
| US | 8.8.8.8:53 | taxigibyz.com | udp |
Files
\Users\Admin\AppData\Local\Temp\hfklgv.exe
| MD5 | 0cd854e4380de181951372c320136919 |
| SHA1 | 89502a6befb16d498f61f57215baccebd717e567 |
| SHA256 | 64778c6aac868f7e8045eebae2ca46fa1055e72e8f704e22af1cf578483000fd |
| SHA512 | 3d992c53057d106d5b3dee4344520c30080c27db913fc1416d5765a7d97845d27fa73f9f377c31e959defba2c87f5d18592479a5d0b1caf085f10ed260b2fc93 |
\Users\Admin\AppData\Local\Temp\hfxtc.exe
| MD5 | 8c2b92f4501cdf89da5cc423f15637c3 |
| SHA1 | 0c00cf4333ac32e1a67a03c5fcd0901f62457748 |
| SHA256 | 042789f89758454e8e4d3dbb791950ac1b96d58f0d0d7d5df3eba11d0f878750 |
| SHA512 | d782ae851dc1f68f14fb0b40ef1a42e916fd289cc21cc1352396592282db20ac49dc8833c424c4cf3be35401e188f8575abeed518719fa89638af4a7a4e05adb |
memory/2204-13-0x00000000003D0000-0x00000000003DB000-memory.dmp
memory/2204-14-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2204-16-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2204-15-0x0000000000401000-0x00000000005F0000-memory.dmp
memory/2808-17-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2808-18-0x0000000000320000-0x0000000000342000-memory.dmp
memory/2808-23-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2204-33-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2204-32-0x0000000000401000-0x00000000005F0000-memory.dmp
memory/2808-35-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2768-36-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-38-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-40-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-42-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-44-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-49-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-51-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-54-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-55-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-56-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-57-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2768-58-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/2644-59-0x0000000002670000-0x0000000002680000-memory.dmp
memory/2768-60-0x0000000000400000-0x00000000005F7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 08:53
Reported
2024-07-04 08:55
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ktdlmfj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2557a73fd749fd202674f8f8c0f0ac3b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ktdlmfj.exe
C:\Users\Admin\AppData\Local\Temp\ktdlmfj.exe
C:\Users\Admin\AppData\Local\Temp\apme.exe
C:\Users\Admin\AppData\Local\Temp\apme.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| PL | 195.14.112.138:80 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| GB | 184.28.176.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| PL | 195.14.112.139:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ktdlmfj.exe
| MD5 | 0cd854e4380de181951372c320136919 |
| SHA1 | 89502a6befb16d498f61f57215baccebd717e567 |
| SHA256 | 64778c6aac868f7e8045eebae2ca46fa1055e72e8f704e22af1cf578483000fd |
| SHA512 | 3d992c53057d106d5b3dee4344520c30080c27db913fc1416d5765a7d97845d27fa73f9f377c31e959defba2c87f5d18592479a5d0b1caf085f10ed260b2fc93 |
C:\Users\Admin\AppData\Local\Temp\apme.exe
| MD5 | 8c2b92f4501cdf89da5cc423f15637c3 |
| SHA1 | 0c00cf4333ac32e1a67a03c5fcd0901f62457748 |
| SHA256 | 042789f89758454e8e4d3dbb791950ac1b96d58f0d0d7d5df3eba11d0f878750 |
| SHA512 | d782ae851dc1f68f14fb0b40ef1a42e916fd289cc21cc1352396592282db20ac49dc8833c424c4cf3be35401e188f8575abeed518719fa89638af4a7a4e05adb |
memory/1916-9-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/1916-11-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/1916-10-0x0000000000401000-0x00000000005F0000-memory.dmp
memory/1916-8-0x0000000000770000-0x000000000077B000-memory.dmp
memory/4508-12-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4508-13-0x0000000000190000-0x00000000001B2000-memory.dmp
memory/4508-18-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1916-19-0x0000000000400000-0x00000000005F7000-memory.dmp
memory/1916-21-0x0000000000401000-0x00000000005F0000-memory.dmp