Analysis Overview
SHA256
e15f39e64aaed3cb4c8dc67dcd68d5ffa4c79157e2503552b15c2a7c33fa65f8
Threat Level: Known bad
The file 259a4fe8aee9ce474a6197a014a09718_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-04 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 17:01
Reported
2024-07-04 17:11
Platform
win7-20240508-en
Max time kernel
139s
Max time network
121s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wingate32.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
| File created | C:\Windows\SysWOW64\wingate32.exe | C:\Windows\SysWOW64\wingate32.exe | N/A |
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 504 "C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 504 "C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 528 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 528 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
C:\Windows\SysWOW64\wingate32.exe
C:\Windows\system32\wingate32.exe 524 "C:\Windows\SysWOW64\wingate32.exe"
Network
Files
memory/2100-0-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-4-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-59-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-63-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-62-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-61-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-60-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-58-0x0000000000400000-0x000000000051B000-memory.dmp
\Windows\SysWOW64\wingate32.exe
| MD5 | 259a4fe8aee9ce474a6197a014a09718 |
| SHA1 | bea9f9f7ae101c99402e09bad2fc17f9df418000 |
| SHA256 | e15f39e64aaed3cb4c8dc67dcd68d5ffa4c79157e2503552b15c2a7c33fa65f8 |
| SHA512 | 69027c2ed108f1d322e9315122810d94b719ef561fde771e6986d65c36ffb2e00ec385021e435e32a0c3259b43c90d4e90097efe4a48d5ef3504c39197e2332d |
memory/2100-57-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-56-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-55-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-54-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-53-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-52-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-51-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-50-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-49-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-48-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-142-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2540-139-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-47-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-45-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-44-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-43-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-42-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-41-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-40-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-39-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-38-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-37-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-36-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-35-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-34-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-32-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-31-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-30-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-29-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-28-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-27-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-26-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-25-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-24-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-23-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-22-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-21-0x0000000000400000-0x000000000051B000-memory.dmp
memory/3048-20-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2100-14-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-46-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-33-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-10-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-7-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-16-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2100-12-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2100-2-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2756-188-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2540-191-0x0000000000400000-0x000000000051B000-memory.dmp
memory/776-237-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2756-240-0x0000000000400000-0x000000000051B000-memory.dmp
memory/952-286-0x0000000000400000-0x000000000051B000-memory.dmp
memory/776-289-0x0000000000400000-0x000000000051B000-memory.dmp
memory/3016-335-0x0000000000400000-0x000000000051B000-memory.dmp
memory/952-338-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2528-384-0x0000000000400000-0x000000000051B000-memory.dmp
memory/3016-387-0x0000000000400000-0x000000000051B000-memory.dmp
memory/1528-433-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2528-436-0x0000000000400000-0x000000000051B000-memory.dmp
memory/1344-482-0x0000000000400000-0x000000000051B000-memory.dmp
memory/1528-485-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2872-531-0x0000000000400000-0x000000000051B000-memory.dmp
memory/1344-534-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2460-580-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2872-583-0x0000000000400000-0x000000000051B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 17:01
Reported
2024-07-04 17:13
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\259a4fe8aee9ce474a6197a014a09718_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 95.101.143.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/1924-0-0x0000000000400000-0x0000000000446000-memory.dmp