Analysis Overview
SHA256
9cb794f9cc6ff45711cc17185a1e119b758322b0b6c496e03e61b4d8557e032e
Threat Level: Known bad
The file 00e8532313249e72acc9d045063ac68e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
SectopRAT
RedLine
RedLine payload
Checks computer location settings
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-30 10:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-30 10:41
Reported
2024-09-30 10:44
Platform
win7-20240903-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3064 set thread context of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp |
Files
memory/3064-0-0x000000007420E000-0x000000007420F000-memory.dmp
memory/3064-1-0x00000000013E0000-0x0000000001446000-memory.dmp
memory/2840-4-0x0000000002940000-0x0000000002980000-memory.dmp
memory/2840-5-0x0000000002940000-0x0000000002980000-memory.dmp
memory/3064-6-0x000000007420E000-0x000000007420F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 8a4122acde2086b235f9b0fb8f56b1dd |
| SHA1 | fbadc8a453da2fbc4f2cccb5ecddacede9856f64 |
| SHA256 | f36c0d6bc01ff7a37e678daae0a710813d9fc3076e5141fe5a771b5fee0bb163 |
| SHA512 | af86bd737d14d6192552769b89af25050f77d986de45626920509dcde61ac69639c627c824b6c7f3efcb226d05931d73cd87db597d4016f5977fa4832ce532a9 |
memory/3064-12-0x0000000000D40000-0x0000000000D78000-memory.dmp
memory/3064-13-0x0000000000520000-0x000000000053C000-memory.dmp
memory/936-14-0x0000000000400000-0x0000000000422000-memory.dmp
memory/936-20-0x0000000000400000-0x0000000000422000-memory.dmp
memory/936-23-0x0000000000400000-0x0000000000422000-memory.dmp
memory/936-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/936-16-0x0000000000400000-0x0000000000422000-memory.dmp
memory/936-18-0x0000000000400000-0x0000000000422000-memory.dmp
memory/936-25-0x0000000000400000-0x0000000000422000-memory.dmp
memory/936-24-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-30 10:41
Reported
2024-09-30 10:44
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3292 set thread context of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 185.213.209.36:36533 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp | |
| NL | 185.213.209.36:36533 | tcp |
Files
memory/3292-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/3292-1-0x0000000000250000-0x00000000002B6000-memory.dmp
memory/3292-2-0x0000000004C60000-0x0000000004CF2000-memory.dmp
memory/2004-3-0x0000000002920000-0x0000000002956000-memory.dmp
memory/2004-6-0x0000000005410000-0x0000000005A38000-memory.dmp
memory/2004-5-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/2004-4-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/2004-7-0x0000000005370000-0x0000000005392000-memory.dmp
memory/2004-8-0x0000000005B70000-0x0000000005BD6000-memory.dmp
memory/2004-9-0x0000000005BE0000-0x0000000005C46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nehuxgjp.png.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2004-19-0x0000000005D50000-0x00000000060A4000-memory.dmp
memory/2004-20-0x0000000006210000-0x000000000622E000-memory.dmp
memory/2004-21-0x0000000006250000-0x000000000629C000-memory.dmp
memory/2004-22-0x0000000006780000-0x0000000006816000-memory.dmp
memory/2004-23-0x0000000006710000-0x000000000672A000-memory.dmp
memory/2004-24-0x00000000071D0000-0x00000000071F2000-memory.dmp
memory/2004-25-0x00000000077B0000-0x0000000007D54000-memory.dmp
memory/2004-26-0x00000000083E0000-0x0000000008A5A000-memory.dmp
memory/2004-29-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/3292-30-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0774a05ce5ee4c1af7097353c9296c62 |
| SHA1 | 658ff96b111c21c39d7ad5f510fb72f9762114bb |
| SHA256 | d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4 |
| SHA512 | 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994 |
memory/1552-32-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/1552-33-0x0000000074E70000-0x0000000075620000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f5ad6c5c24d732b9d1c17c8c686d138a |
| SHA1 | ae95dda2d425f7488a41c4a1e6f73b2b7c58b34b |
| SHA256 | f28826ac61f27e5b4e11ac94d7ffe849de6a945ff35203134779a28d165e5be8 |
| SHA512 | 8bf31d2e99c08a4e6f96ecf53af3d7e5cfa8a51d9697f85750135cc053b1342a727ce272f80482bbf7edf224bb789d8bb8f0ea095076e0b890402021c1bcad1b |
memory/1552-45-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/3292-46-0x0000000004B70000-0x0000000004BA8000-memory.dmp
memory/3292-47-0x0000000004D90000-0x0000000004DAC000-memory.dmp
memory/1636-48-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\00e8532313249e72acc9d045063ac68e_JaffaCakes118.exe.log
| MD5 | daf9fe3dcbbcb5b561d9f0353b55f9d4 |
| SHA1 | a13e3d6ebbed85e669c83bb501c155a494c549f0 |
| SHA256 | 07f91247f55298b9e1ceb697f4372d5527469846874d70cff32cf469477fd5d5 |
| SHA512 | 5ea0df54ff91f5957c1eaed129a5dec9c9ae82a14b1f8c7fcb71df5233da533c9860fb1d6d73dff05402c1cba0a29e763d0434cf0b92a8c234b0719418882eb8 |
memory/1636-51-0x0000000005C20000-0x0000000006238000-memory.dmp
memory/1636-52-0x00000000056B0000-0x00000000056C2000-memory.dmp
memory/1636-53-0x00000000057E0000-0x00000000058EA000-memory.dmp
memory/1636-54-0x0000000005710000-0x000000000574C000-memory.dmp
memory/1636-55-0x0000000005750000-0x000000000579C000-memory.dmp