Analysis Overview
SHA256
0e0fdd23417c75d5be7d7b3ffc60231253412cdf740a1ec40fe7e5cac95ab4da
Threat Level: Known bad
The file 2597fef3521a6e95b68b17de972898cb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-04 16:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 16:58
Reported
2024-07-04 17:10
Platform
win7-20240220-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\autoformat.exe | C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe"
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
Network
Files
memory/3040-1-0x0000000000390000-0x00000000003DB000-memory.dmp
memory/3040-0-0x0000000000400000-0x000000000058A000-memory.dmp
memory/3040-14-0x0000000002870000-0x0000000002872000-memory.dmp
memory/3040-13-0x0000000002880000-0x0000000002885000-memory.dmp
memory/3040-12-0x0000000002880000-0x0000000002881000-memory.dmp
memory/3040-22-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-64-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-63-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-62-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-61-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-60-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-59-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-58-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-57-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-56-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-55-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-54-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-53-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-52-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-51-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-50-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-49-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-48-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-47-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-46-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-45-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-44-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-43-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3040-42-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3040-41-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3040-40-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3040-39-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3040-38-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3040-37-0x0000000002390000-0x0000000002391000-memory.dmp
memory/3040-36-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-35-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-34-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-33-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-32-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-31-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-30-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-29-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-28-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-27-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-26-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-25-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-24-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-23-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-21-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-20-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-19-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-18-0x00000000028E0000-0x00000000028E1000-memory.dmp
memory/3040-17-0x0000000000610000-0x0000000000611000-memory.dmp
memory/3040-16-0x00000000028D0000-0x00000000028D1000-memory.dmp
memory/3040-15-0x00000000028F0000-0x00000000029F0000-memory.dmp
memory/3040-11-0x0000000002880000-0x0000000002881000-memory.dmp
memory/3040-10-0x0000000000630000-0x0000000000631000-memory.dmp
memory/3040-9-0x0000000002880000-0x0000000002881000-memory.dmp
memory/3040-8-0x0000000002340000-0x0000000002341000-memory.dmp
memory/3040-7-0x0000000002880000-0x0000000002881000-memory.dmp
memory/3040-6-0x0000000000640000-0x0000000000641000-memory.dmp
memory/3040-5-0x0000000002370000-0x0000000002371000-memory.dmp
memory/3040-4-0x0000000000620000-0x0000000000621000-memory.dmp
memory/3040-3-0x0000000002360000-0x0000000002361000-memory.dmp
memory/3040-2-0x0000000002330000-0x0000000002331000-memory.dmp
memory/3040-66-0x0000000000230000-0x0000000000231000-memory.dmp
memory/3040-67-0x0000000000300000-0x0000000000301000-memory.dmp
memory/3040-65-0x0000000002890000-0x0000000002891000-memory.dmp
memory/3040-68-0x00000000028A0000-0x00000000028A1000-memory.dmp
memory/3040-70-0x00000000028B0000-0x00000000028B1000-memory.dmp
memory/3040-69-0x00000000028C0000-0x00000000028C1000-memory.dmp
\Windows\SysWOW64\autoformat.exe
| MD5 | 2597fef3521a6e95b68b17de972898cb |
| SHA1 | b360e70b65ba38aba1b754221c820487bb0c2338 |
| SHA256 | 0e0fdd23417c75d5be7d7b3ffc60231253412cdf740a1ec40fe7e5cac95ab4da |
| SHA512 | e659ed62f6fe81cb22e0d77fc9a3dea6a616ddf2f464843e52acf1552ecd6259b6aa3f37c526fab0a03697eaf72f820418a9ee6c94de0ba16a0cdaa66b7c8bfe |
memory/3040-73-0x0000000002C70000-0x0000000002DFA000-memory.dmp
memory/3040-81-0x0000000000390000-0x00000000003DB000-memory.dmp
memory/3040-80-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2408-82-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2408-84-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2408-90-0x0000000000400000-0x000000000058A000-memory.dmp
memory/768-91-0x0000000000400000-0x000000000058A000-memory.dmp
memory/768-92-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1720-99-0x0000000000400000-0x000000000058A000-memory.dmp
memory/768-98-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1720-100-0x0000000000400000-0x000000000058A000-memory.dmp
memory/540-107-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1720-105-0x0000000000400000-0x000000000058A000-memory.dmp
memory/540-108-0x0000000000400000-0x000000000058A000-memory.dmp
memory/540-113-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1060-115-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1060-116-0x0000000000400000-0x000000000058A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 16:58
Reported
2024-07-04 17:14
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
128s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\autoformat.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\autoformat.exe | C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Windows\SysWOW64\autoformat.exe | N/A |
| File created | C:\Windows\SysWOW64\autoformat.exe | C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe"
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Users\Admin\AppData\Local\Temp\2597fef3521a6e95b68b17de972898cb_JaffaCakes118.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3812,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
C:\Windows\SysWOW64\autoformat.exe
C:\Windows\system32\autoformat.exe -bai C:\Windows\SysWOW64\autoformat.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 88.221.135.27:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1448-0-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1448-1-0x0000000000B90000-0x0000000000BDB000-memory.dmp
memory/1448-14-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/1448-13-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/1448-12-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/1448-11-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/1448-10-0x0000000002A90000-0x0000000002A92000-memory.dmp
memory/1448-9-0x0000000002520000-0x0000000002521000-memory.dmp
memory/1448-8-0x0000000002560000-0x0000000002561000-memory.dmp
memory/1448-7-0x0000000002AA0000-0x0000000002AA5000-memory.dmp
memory/1448-6-0x0000000002530000-0x0000000002531000-memory.dmp
memory/1448-5-0x0000000002590000-0x0000000002591000-memory.dmp
memory/1448-4-0x0000000002510000-0x0000000002511000-memory.dmp
memory/1448-3-0x0000000002580000-0x0000000002581000-memory.dmp
memory/1448-2-0x0000000002550000-0x0000000002551000-memory.dmp
memory/1448-17-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-44-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-43-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-42-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-41-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-40-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-39-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-18-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/1448-38-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-37-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-36-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-35-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-34-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-33-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1448-32-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1448-31-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1448-30-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1448-29-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1448-28-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1448-27-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1448-26-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-25-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-24-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-23-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-22-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-21-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-20-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-19-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-16-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1448-15-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
memory/1448-46-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/1448-50-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
memory/1448-49-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
memory/1448-47-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/1448-45-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
memory/1448-48-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
C:\Windows\SysWOW64\autoformat.exe
| MD5 | 2597fef3521a6e95b68b17de972898cb |
| SHA1 | b360e70b65ba38aba1b754221c820487bb0c2338 |
| SHA256 | 0e0fdd23417c75d5be7d7b3ffc60231253412cdf740a1ec40fe7e5cac95ab4da |
| SHA512 | e659ed62f6fe81cb22e0d77fc9a3dea6a616ddf2f464843e52acf1552ecd6259b6aa3f37c526fab0a03697eaf72f820418a9ee6c94de0ba16a0cdaa66b7c8bfe |
memory/1448-55-0x0000000000B90000-0x0000000000BDB000-memory.dmp
memory/1336-58-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1448-56-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1336-59-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1336-63-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1900-64-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1900-65-0x0000000000400000-0x000000000058A000-memory.dmp
memory/1900-69-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2376-70-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2376-74-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2688-75-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2688-76-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2688-80-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2088-81-0x0000000000400000-0x000000000058A000-memory.dmp
memory/2088-82-0x0000000000400000-0x000000000058A000-memory.dmp