Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-x4mtssxfml
Target 63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118
SHA256 e97c683d4076b707e0ca68f3d7a50e71b908d2109f782248f2d79dba4adbdaff
Tags
discovery persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e97c683d4076b707e0ca68f3d7a50e71b908d2109f782248f2d79dba4adbdaff

Threat Level: Likely malicious

The file 63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware spyware stealer

Renames multiple (177) files with added filename extension

Drops file in Drivers directory

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:24

Reported

2024-10-20 19:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Renames multiple (177) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Windows\Logo1_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QuickTime Update Completion 0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe\" -atboottime \"QuickTime Update Completion 0\"" C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\policytool.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\Chess.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\plugin-container.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\javacpl.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\UseLock.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.Exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\uninstall\rundl132.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\uninstall\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\RichDll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2544 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2544 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2544 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1652 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1652 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1652 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1652 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2544 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2544 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2544 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2544 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2108 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe
PID 2108 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe
PID 2108 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe
PID 2108 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe
PID 2108 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe
PID 2108 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe
PID 2108 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe
PID 2760 wrote to memory of 2880 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2760 wrote to memory of 2880 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2760 wrote to memory of 2880 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2760 wrote to memory of 2880 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2880 wrote to memory of 2968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2880 wrote to memory of 2968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2880 wrote to memory of 2968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2880 wrote to memory of 2968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2760 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2760 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2760 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2760 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2760 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE762.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2544-0-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2544-1-0x0000000000020000-0x0000000000040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aE762.bat

MD5 0893b0b4f686064fe6e1a2b78eed5beb
SHA1 24bc67bfe23fd0328d9488bf7d768530be889f8e
SHA256 9b712ee2a598b30648b3c85b8da03051410fe70a8abfd224c54477f7081567fc
SHA512 91efb88d1f58213041e1d424869bf901acbdd049e2d444ee0819ca7d528090714c77dfda451b4c10f8601606ac0392e6a942af94617da03a83546fd6ad96b86c

memory/2544-17-0x0000000000340000-0x000000000037C000-memory.dmp

memory/2760-21-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\Logo1_.exe

MD5 a38c711eafc90cde1d2fd088859cc730
SHA1 e86fdd76490c304ea32cdf3081159a53b3063fa8
SHA256 d2682ef08c14e94915b3916b391a5b49813e4d9460919a58b9bfd9799020b35c
SHA512 98dc78ad99fda929b89f8f29f1a3cd881deaac1ceb77f6b23274458654435a1ffa84429e016346985c02dbba77f6f0c40b3f2490ef75fb2b4c12d23dbc1bb32b

memory/2544-19-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2544-18-0x0000000000340000-0x000000000037C000-memory.dmp

\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe

MD5 e0f7d4dad3fc65c04b44fa4058a2f530
SHA1 dd4d84769aa767997178969ec35a621c12ca9bd5
SHA256 64182df59e02c147b2e5d4edb83f0bc1f92a3f451514f4950f7852540954123e
SHA512 941dd58ea796ea8d5f45462cbafb78c56161f10960ce646cda27df032f4bee3028675b198b4f75e0c21241d1929f798b1cf439f9f2977dcf1c16fb342a9e1cfe

C:\Windows\system32\drivers\etc\hosts

MD5 7e3a0edd0c6cd8316f4b6c159d5167a1
SHA1 753428b4736ffb2c9e3eb50f89255b212768c55a
SHA256 1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c
SHA512 9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

memory/1196-34-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/2760-37-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:24

Reported

2024-10-20 19:27

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\63e66d289d9d10f1f9450117bb61e7ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 224

Network

Country Destination Domain Proto
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4376-0-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4376-1-0x0000000000400000-0x000000000043C000-memory.dmp