492509f3d645e20877a1b69551d25ce99004e857857f836f11d5d7669740c03c

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 11:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
Size

76KB
MD5

459cde6e25bcf5afff6bdf88d66c02ed
SHA1

775ed249c0b94f397551b347ea3c3bf681e918f9
SHA256

492509f3d645e20877a1b69551d25ce99004e857857f836f11d5d7669740c03c
SHA512

9e108ae11af75cf43278320d4f768e2ef5ba9320c785b3d3597ff4280d695363c46440b9aec35a6145d72cb4cd22a69416de9c76eb01a274a0cbb91c57e086a3
SSDEEP

1536:swpW9UaDLSvuQUE6UdYwiSSgOkflWWZNp3+aq7z:VW9UaDuvlwU2KSgrcW3rq7z

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
1236	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 4880	3188	459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe	83
PID 3188 wrote to memory of 4880	3188	459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe	83
PID 3188 wrote to memory of 4880	3188	459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe	83
PID 4880 wrote to memory of 1236	4880	cmd.exe	86
PID 4880 wrote to memory of 1236	4880	cmd.exe	86
PID 4880 wrote to memory of 1236	4880	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt51100.bat "C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im reseau.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1236

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3; domain=.bing.com; expires=Fri, 08-Aug-2025 11:27:30 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 61133137B29E4054809EFD142983C4C4 Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:30Z
date: Sun, 14 Jul 2024 11:27:29 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=0QhFQWdN-5vlMlSG_0RltDEBol-W7HH-TD9F_scluMU; domain=.bing.com; expires=Fri, 08-Aug-2025 11:27:31 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 496681AAF8574D10BE393B2ECF55075D Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:31Z
date: Sun, 14 Jul 2024 11:27:30 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2B9EB6FC498463C12D9DA240483F62C3; MSPTC=0QhFQWdN-5vlMlSG_0RltDEBol-W7HH-TD9F_scluMU

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CB513508A458434E84A26BE732DD7F85 Ref B: LON04EDGE0819 Ref C: 2024-07-14T11:27:31Z
date: Sun, 14 Jul 2024 11:27:30 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.58.20.217.in-addr.arpa

IN PTR

Response
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

Response

240.143.123.92.in-addr.arpa

IN PTR

a92-123-143-240deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

224.162.46.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.162.46.104.in-addr.arpa

IN PTR

Response

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

tls, http2

2.0kB
9.3kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1124f2d6fdec4da88b452c8af6dda2dc&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

18.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

18.58.20.217.in-addr.arpa
8.8.8.8:53

240.143.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

240.143.123.92.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

224.162.46.104.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

224.162.46.104.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt51100.bat

Filesize
476B

MD5
8673d3d51593a4995652e962a67d58a4

SHA1
697177b467677b549b8b1bb1578db8100e8e6c40

SHA256
7b89a4b26ae938579df6deb3ee647da318ebc9a22d1bcc80a8a01a6ccb9cced1

SHA512
5b551feb018181d506dde50ebc638ea569a6d4135ddfdbd133f173f7ca3e99126c5e84c7050ac99279e986a716c46f2ddbed4565dce6757a66b2cd4570d0e27a

Download Submit
memory/3188-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.