Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 11:27 UTC
Static task
static1
Behavioral task
behavioral1
Sample
459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
-
Size
76KB
-
MD5
459cde6e25bcf5afff6bdf88d66c02ed
-
SHA1
775ed249c0b94f397551b347ea3c3bf681e918f9
-
SHA256
492509f3d645e20877a1b69551d25ce99004e857857f836f11d5d7669740c03c
-
SHA512
9e108ae11af75cf43278320d4f768e2ef5ba9320c785b3d3597ff4280d695363c46440b9aec35a6145d72cb4cd22a69416de9c76eb01a274a0cbb91c57e086a3
-
SSDEEP
1536:swpW9UaDLSvuQUE6UdYwiSSgOkflWWZNp3+aq7z:VW9UaDuvlwU2KSgrcW3rq7z
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
pid Process 1236 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1236 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3188 wrote to memory of 4880 3188 459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe 83 PID 3188 wrote to memory of 4880 3188 459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe 83 PID 3188 wrote to memory of 4880 3188 459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe 83 PID 4880 wrote to memory of 1236 4880 cmd.exe 86 PID 4880 wrote to memory of 1236 4880 cmd.exe 86 PID 4880 wrote to memory of 1236 4880 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt51100.bat "C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im reseau.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A13.107.21.237dual-a-0034.a-msedge.netIN A204.79.197.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3; domain=.bing.com; expires=Fri, 08-Aug-2025 11:27:30 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 61133137B29E4054809EFD142983C4C4 Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:30Z
date: Sun, 14 Jul 2024 11:27:29 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=0QhFQWdN-5vlMlSG_0RltDEBol-W7HH-TD9F_scluMU; domain=.bing.com; expires=Fri, 08-Aug-2025 11:27:31 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 496681AAF8574D10BE393B2ECF55075D Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:31Z
date: Sun, 14 Jul 2024 11:27:30 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3; MSPTC=0QhFQWdN-5vlMlSG_0RltDEBol-W7HH-TD9F_scluMU
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CB513508A458434E84A26BE732DD7F85 Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:31Z
date: Sun, 14 Jul 2024 11:27:30 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request237.21.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.58.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.143.123.92.in-addr.arpaIN PTRResponse240.143.123.92.in-addr.arpaIN PTRa92-123-143-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request224.162.46.104.in-addr.arpaIN PTRResponse
-
13.107.21.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=tls, http22.0kB 9.3kB 21 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=HTTP Response
204
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
13.107.21.237204.79.197.237
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
237.21.107.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
18.58.20.217.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
240.143.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
224.162.46.104.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476B
MD58673d3d51593a4995652e962a67d58a4
SHA1697177b467677b549b8b1bb1578db8100e8e6c40
SHA2567b89a4b26ae938579df6deb3ee647da318ebc9a22d1bcc80a8a01a6ccb9cced1
SHA5125b551feb018181d506dde50ebc638ea569a6d4135ddfdbd133f173f7ca3e99126c5e84c7050ac99279e986a716c46f2ddbed4565dce6757a66b2cd4570d0e27a