Analysis Overview
SHA256
d93e3907bcd495ba5bb17ec716b842ee984f3f6455f666163035583079fcdff1
Threat Level: Known bad
The file 25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-04 17:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 17:51
Reported
2024-07-04 17:53
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2964 set thread context of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 444 "C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe"
Network
Files
memory/2136-0-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2136-5-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2136-8-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2136-9-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2136-6-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2136-4-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2136-2-0x0000000000400000-0x0000000000485000-memory.dmp
\Windows\SysWOW64\Sysctrls.exe
| MD5 | 25aee5485680831d3ac9cd91c0a50fc1 |
| SHA1 | 46a70a31bef6c91505ae33d8f0cf7fb08081d1af |
| SHA256 | d93e3907bcd495ba5bb17ec716b842ee984f3f6455f666163035583079fcdff1 |
| SHA512 | 32f2fc7242ba1478eaaea424d5ec456b8637b5e0bfe792e26f26ef35c2c5558b3687ab49477db38100da431ae02e03cb9633381c2b27fe257097df250e210ee6 |
memory/2136-20-0x0000000000400000-0x0000000000485000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 17:51
Reported
2024-07-04 17:53
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File created | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Sysctrls.exe | C:\Windows\SysWOW64\Sysctrls.exe | N/A |
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 972 "C:\Users\Admin\AppData\Local\Temp\25aee5485680831d3ac9cd91c0a50fc1_JaffaCakes118.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1128 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1096 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1032 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1092 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1096 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1096 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1096 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1092 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\system32\Sysctrls.exe 1088 "C:\Windows\SysWOW64\Sysctrls.exe"
C:\Windows\SysWOW64\Sysctrls.exe
C:\Windows\SysWOW64\Sysctrls.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| GB | 184.28.176.81:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 81.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1520-2-0x0000000000400000-0x0000000000485000-memory.dmp
memory/1520-1-0x0000000000400000-0x0000000000485000-memory.dmp
memory/1520-3-0x0000000000400000-0x0000000000485000-memory.dmp
C:\Windows\SysWOW64\Sysctrls.exe
| MD5 | 25aee5485680831d3ac9cd91c0a50fc1 |
| SHA1 | 46a70a31bef6c91505ae33d8f0cf7fb08081d1af |
| SHA256 | d93e3907bcd495ba5bb17ec716b842ee984f3f6455f666163035583079fcdff1 |
| SHA512 | 32f2fc7242ba1478eaaea424d5ec456b8637b5e0bfe792e26f26ef35c2c5558b3687ab49477db38100da431ae02e03cb9633381c2b27fe257097df250e210ee6 |
memory/3192-14-0x0000000000400000-0x0000000000485000-memory.dmp
memory/1520-15-0x0000000000400000-0x0000000000485000-memory.dmp
memory/3192-17-0x0000000000400000-0x0000000000485000-memory.dmp
memory/1572-23-0x0000000000400000-0x0000000000485000-memory.dmp
memory/1572-26-0x0000000000400000-0x0000000000485000-memory.dmp
memory/5012-33-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2700-40-0x0000000000400000-0x0000000000485000-memory.dmp
memory/972-47-0x0000000000400000-0x0000000000485000-memory.dmp
memory/4440-54-0x0000000000400000-0x0000000000485000-memory.dmp
memory/3480-61-0x0000000000400000-0x0000000000485000-memory.dmp
memory/2344-68-0x0000000000400000-0x0000000000485000-memory.dmp
memory/3104-75-0x0000000000400000-0x0000000000485000-memory.dmp
memory/628-82-0x0000000000400000-0x0000000000485000-memory.dmp