Analysis Overview
SHA256
1e84802e4da3346e3e59e6da6054df5e2dd12b5a8b4df058cef5a43108cf07df
Threat Level: Known bad
The file 9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 10:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 10:14
Reported
2024-08-16 10:16
Platform
win7-20240729-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2316 set thread context of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sivatVvbFbzxFj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7169.tmp"
C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
Files
memory/2316-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/2316-1-0x0000000000A60000-0x0000000000B10000-memory.dmp
memory/2316-2-0x0000000074C90000-0x000000007537E000-memory.dmp
memory/2316-3-0x0000000000460000-0x0000000000468000-memory.dmp
memory/2316-4-0x0000000074C90000-0x000000007537E000-memory.dmp
memory/2316-5-0x00000000051B0000-0x0000000005240000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7169.tmp
| MD5 | 0f1d89ccba3a8d60f0d23fb85ce589d3 |
| SHA1 | d5be8a5ab2ff3f42f14eba83acf7f2e9819420cd |
| SHA256 | 7891bfdce0ba06c5e23d0eeab10ef4bc3a50a5fec52a340c583e6093867aff7e |
| SHA512 | 85ccdc3eeb08e0ade4e39a5c6eeb25d8a7451b177991539f8b1cdc7d39facda1fbeec1b94aa587b5da88ac7618a3aa42233ce1e8d1a25f5ec6c5166ab200dd0f |
memory/2916-9-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2916-20-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2916-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2916-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2916-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2916-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2916-12-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2916-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2916-22-0x0000000074C90000-0x000000007537E000-memory.dmp
memory/2316-21-0x0000000074C90000-0x000000007537E000-memory.dmp
memory/2916-23-0x0000000074C90000-0x000000007537E000-memory.dmp
memory/2916-25-0x00000000003E0000-0x00000000003EA000-memory.dmp
memory/2916-26-0x0000000000440000-0x000000000045E000-memory.dmp
memory/2916-27-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2916-28-0x0000000074C90000-0x000000007537E000-memory.dmp
memory/2916-29-0x0000000074C90000-0x000000007537E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 10:14
Reported
2024-08-16 10:16
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3212 set thread context of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sivatVvbFbzxFj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4755.tmp"
C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\9df5e54a0aca7bcce788eb771bf399fd_JaffaCakes118.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | newlogs.ddns.net | udp |
| US | 8.8.4.4:53 | newlogs.ddns.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.4.4:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/3212-0-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/3212-1-0x0000000000A30000-0x0000000000AE0000-memory.dmp
memory/3212-2-0x0000000005B10000-0x00000000060B4000-memory.dmp
memory/3212-3-0x0000000005490000-0x0000000005522000-memory.dmp
memory/3212-4-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3212-5-0x0000000005530000-0x000000000553A000-memory.dmp
memory/3212-6-0x0000000006AD0000-0x0000000006B6C000-memory.dmp
memory/3212-7-0x0000000006AC0000-0x0000000006AC8000-memory.dmp
memory/3212-8-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/3212-9-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3212-10-0x0000000006B70000-0x0000000006C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4755.tmp
| MD5 | 3de17c395108a67c9494159e5d956343 |
| SHA1 | 7bea8f8018443ea89ae8f07aa7a1c86831d65c3c |
| SHA256 | 19d8f7de958f069dcf2f863699669666d947938bf5a396becb30de67b35a7243 |
| SHA512 | b77e42a4b23ad9a928d684cfecd243d31a578076641676c2bc44d3d39b0b222222362a65359f1ce26badc766370a704774c3a9b9e951a7e2e5a47ebf9a92debf |
memory/1304-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1304-16-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3212-17-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/1304-18-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/1304-20-0x0000000005240000-0x000000000524A000-memory.dmp
memory/1304-21-0x0000000005730000-0x000000000574E000-memory.dmp
memory/1304-22-0x00000000055D0000-0x00000000055DA000-memory.dmp
memory/1304-23-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/1304-24-0x00000000746D0000-0x0000000074E80000-memory.dmp