Analysis Overview
SHA256
7f52f25c1390429e6fd88b1a57e7d320450abaf79adc06996416a0ab08f337bb
Threat Level: Known bad
The file 42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Checks computer location settings
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-13 17:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-13 17:26
Reported
2024-07-13 17:28
Platform
win10v2004-20240709-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4036 set thread context of 968 | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1492
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/4036-0-0x00000000752AE000-0x00000000752AF000-memory.dmp
memory/4036-1-0x0000000000E10000-0x0000000000F88000-memory.dmp
memory/4036-2-0x0000000005910000-0x00000000059AC000-memory.dmp
memory/4036-3-0x0000000006060000-0x0000000006604000-memory.dmp
memory/4036-4-0x00000000032B0000-0x00000000032E8000-memory.dmp
memory/4036-5-0x00000000752A0000-0x0000000075A50000-memory.dmp
memory/968-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/968-8-0x00000000752A0000-0x0000000075A50000-memory.dmp
memory/968-7-0x0000000005500000-0x0000000005576000-memory.dmp
memory/968-9-0x00000000030D0000-0x00000000030EE000-memory.dmp
memory/968-10-0x00000000752A0000-0x0000000075A50000-memory.dmp
memory/968-11-0x0000000005C70000-0x0000000006288000-memory.dmp
memory/968-12-0x00000000055A0000-0x00000000055B2000-memory.dmp
memory/968-13-0x0000000005600000-0x000000000563C000-memory.dmp
memory/968-14-0x0000000005650000-0x000000000569C000-memory.dmp
memory/968-15-0x00000000058B0000-0x00000000059BA000-memory.dmp
memory/4036-16-0x00000000752A0000-0x0000000075A50000-memory.dmp
memory/968-17-0x00000000752A0000-0x0000000075A50000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 17:26
Reported
2024-07-13 17:28
Platform
win7-20240705-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2900 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42a54ec9ab074c043308a597ef2cde5c_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp | |
| NL | 185.51.247.144:81 | tcp |
Files
memory/2900-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp
memory/2900-1-0x0000000001100000-0x0000000001278000-memory.dmp
memory/2900-2-0x0000000000560000-0x0000000000598000-memory.dmp
memory/2900-3-0x0000000073EC0000-0x00000000745AE000-memory.dmp
memory/2696-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2900-21-0x0000000073EC0000-0x00000000745AE000-memory.dmp
memory/2696-20-0x0000000073EC0000-0x00000000745AE000-memory.dmp
memory/2696-19-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2696-22-0x0000000073EC0000-0x00000000745AE000-memory.dmp
memory/2696-16-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2696-14-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2696-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2696-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2696-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2696-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2696-23-0x0000000073EC0000-0x00000000745AE000-memory.dmp