Analysis Overview
SHA256
d37dccd907a4c76bf2c72ca029cdc8f82974ed25ded93ff1dcf79e6335487a2f
Threat Level: Known bad
The file c340761e2148785822fd97d1b7975a57_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Azorult
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-26 15:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-26 15:09
Reported
2024-08-26 15:12
Platform
win7-20240704-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2120 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\佃 | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crimtan.cf | udp |
| US | 8.8.8.8:53 | crimtan.cf | udp |
Files
C:\Windows\佃
| MD5 | 40997308d50d6b4b0ce84bfce4cf2abc |
| SHA1 | af99a292703f6a5e676fa178ae2264435be57b7e |
| SHA256 | 52f759c45ee3cf5408a0e6de8f396466cf5064a2dbf3654a490c107c532c6318 |
| SHA512 | a5c80455175c18a3e01fc1190921ad17d8f0184f1ccb8ed1ef8c04c811514f268acbbca8e01561fa6efe820070f87e98132398d5aceebf976fe34b9a21fbe7ee |
memory/2120-213-0x00000000776B0000-0x0000000077859000-memory.dmp
memory/2120-212-0x00000000776B1000-0x00000000777B2000-memory.dmp
memory/2980-215-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2980-216-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2980-217-0x00000000776B0000-0x0000000077859000-memory.dmp
memory/2980-218-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-26 15:09
Reported
2024-08-26 15:12
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
123s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3904 set thread context of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\佃 | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c340761e2148785822fd97d1b7975a57_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crimtan.cf | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crimtan.cf | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\佃
| MD5 | 21b75afd36f87b52ec668f8ede7a9cd3 |
| SHA1 | dd881fc51ae146e425c45fd61b4fb2619090365f |
| SHA256 | 5cc720fb36abcf360a7d502626f7b3fb1aec8c42f54a47389a85bad63da475b7 |
| SHA512 | 9b931e2b5d17446295a45d24369df46756f2ce45442b404173d932868be5d43356f252a2275c6a2e86c5be176dd44345982823343e16db5bc199404285fb67d8 |
memory/3904-212-0x0000000076F01000-0x0000000077021000-memory.dmp
memory/4624-213-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4624-215-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4624-216-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4624-217-0x0000000000400000-0x0000000000420000-memory.dmp