Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 11:27 UTC

General

  • Target

    459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    459cde6e25bcf5afff6bdf88d66c02ed

  • SHA1

    775ed249c0b94f397551b347ea3c3bf681e918f9

  • SHA256

    492509f3d645e20877a1b69551d25ce99004e857857f836f11d5d7669740c03c

  • SHA512

    9e108ae11af75cf43278320d4f768e2ef5ba9320c785b3d3597ff4280d695363c46440b9aec35a6145d72cb4cd22a69416de9c76eb01a274a0cbb91c57e086a3

  • SSDEEP

    1536:swpW9UaDLSvuQUE6UdYwiSSgOkflWWZNp3+aq7z:VW9UaDuvlwU2KSgrcW3rq7z

Score
1/10

Malware Config

Signatures

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt51100.bat "C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im reseau.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1236

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3; domain=.bing.com; expires=Fri, 08-Aug-2025 11:27:30 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 61133137B29E4054809EFD142983C4C4 Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:30Z
    date: Sun, 14 Jul 2024 11:27:29 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=0QhFQWdN-5vlMlSG_0RltDEBol-W7HH-TD9F_scluMU; domain=.bing.com; expires=Fri, 08-Aug-2025 11:27:31 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 496681AAF8574D10BE393B2ECF55075D Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:31Z
    date: Sun, 14 Jul 2024 11:27:30 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3; MSPTC=0QhFQWdN-5vlMlSG_0RltDEBol-W7HH-TD9F_scluMU
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CB513508A458434E84A26BE732DD7F85 Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:31Z
    date: Sun, 14 Jul 2024 11:27:30 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.58.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    224.162.46.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    224.162.46.104.in-addr.arpa
    IN PTR
    Response
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=
    tls, http2
    2.0kB
    9.3kB
    21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    18.58.20.217.in-addr.arpa
    dns
    71 B
    131 B
    1
    1

    DNS Request

    18.58.20.217.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    240.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    224.162.46.104.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    224.162.46.104.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bt51100.bat

    Filesize

    476B

    MD5

    8673d3d51593a4995652e962a67d58a4

    SHA1

    697177b467677b549b8b1bb1578db8100e8e6c40

    SHA256

    7b89a4b26ae938579df6deb3ee647da318ebc9a22d1bcc80a8a01a6ccb9cced1

    SHA512

    5b551feb018181d506dde50ebc638ea569a6d4135ddfdbd133f173f7ca3e99126c5e84c7050ac99279e986a716c46f2ddbed4565dce6757a66b2cd4570d0e27a

  • memory/3188-3-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.