Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-3heh7awale
Target 5f3df15568c628069235df05f6df3c74_JaffaCakes118
SHA256 2004b06bbcb086fd3f2f83435f6e4cad003b4c344f50b5694762daf442bce3da
Tags
discovery persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2004b06bbcb086fd3f2f83435f6e4cad003b4c344f50b5694762daf442bce3da

Threat Level: Likely malicious

The file 5f3df15568c628069235df05f6df3c74_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware spyware stealer

Renames multiple (176) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 23:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 23:30

Reported

2024-10-19 23:33

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Renames multiple (176) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Windows\Logo1_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\7z.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\policytool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\uninstall\rundl132.exe C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
File opened for modification C:\Windows\uninstall\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\RichDll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1404 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1404 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1404 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2456 wrote to memory of 2292 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2456 wrote to memory of 2292 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2456 wrote to memory of 2292 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2456 wrote to memory of 2292 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1404 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 1404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 1404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 1404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 1928 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe
PID 1928 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe
PID 1928 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe
PID 1928 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe
PID 2316 wrote to memory of 2864 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2316 wrote to memory of 2864 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2316 wrote to memory of 2864 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2316 wrote to memory of 2864 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2316 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2316 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2316 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2316 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2572 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2572 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2572 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2572 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2316 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2316 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDEBB.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1404-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1404-1-0x0000000000020000-0x0000000000040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aDEBB.bat

MD5 87429812c972069e59213b75c23f6551
SHA1 ef06bbf6ec624b421a7270d01728e996d5d58aa9
SHA256 d3936de35e25c842c42e9d0071bb5d0120a1935e1f44a6adf4eca6a3953e7669
SHA512 e1d5bf4878c45c7c7c4e3e09bca3dfb3b52d80efbd185fe5dbbf0350fa61b8d760e58c44b46d7671e21ee2757e0b978adde34c8aa1c7fe5031b0bc1e8c7fde87

C:\Windows\Logo1_.exe

MD5 18e000da33f6741acde950b41a437b09
SHA1 7e1592b533f3714b6e5de274977f40063a96642b
SHA256 85e7650d9f5a232b22f9da84507c1c84decc5af8ebf2ed7d48605372d6f02c95
SHA512 8ab15ab9059965bb6868297e15ad3fe88658fb27e78f11bcaf6ccace206536311213c84be4ca1a97baa4293ecabc166796e68482977e233883ab380dfc852144

memory/1404-18-0x00000000001C0000-0x00000000001FF000-memory.dmp

memory/1404-20-0x00000000001C0000-0x00000000001FF000-memory.dmp

memory/1404-19-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 7e3a0edd0c6cd8316f4b6c159d5167a1
SHA1 753428b4736ffb2c9e3eb50f89255b212768c55a
SHA256 1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c
SHA512 9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe.exe

MD5 52a4c01d2bd02572bdc918f3390f852e
SHA1 58517b90aa6e21d07fd0eda6ffde8a688f150e21
SHA256 233c95cba55b4fca3659f3b8ae7345d79d3d1bd7563d4bdcab0509494b742139
SHA512 1be0dcb8ab21b999257ddddfdd42bccbcb4c53396d9fe47cb8dd5399ead6b0ae106822d776b67bae7ef27ea5980db7af82a21662c0ccb78b2efc2b85516b10e1

memory/2828-30-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1928-28-0x00000000023E0000-0x00000000024A1000-memory.dmp

memory/1928-27-0x00000000023E0000-0x00000000024A1000-memory.dmp

memory/1192-34-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/2316-38-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 23:30

Reported

2024-10-19 23:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5f3df15568c628069235df05f6df3c74_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 224

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/4732-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4732-1-0x0000000000400000-0x000000000043F000-memory.dmp