Malware Analysis Report

2025-08-11 01:16

Sample ID 241021-kxgmzsxene
Target 663875e015dd282302a9cac9ab98104b_JaffaCakes118
SHA256 7fa7565e111626b66a5369ad3a19945dcc2a42c951c86aaeba12435734d059d1
Tags
discovery evasion persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7fa7565e111626b66a5369ad3a19945dcc2a42c951c86aaeba12435734d059d1

Threat Level: Likely malicious

The file 663875e015dd282302a9cac9ab98104b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence spyware stealer

Boot or Logon Autostart Execution: Active Setup

Disables taskbar notifications via registry modification

Loads dropped DLL

Executes dropped EXE

Deletes itself

Modifies system executable filetype association

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 08:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 08:58

Reported

2024-10-21 09:01

Platform

win7-20241010-en

Max time kernel

147s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\663875e015dd282302a9cac9ab98104b_JaffaCakes118.dll,#1

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables taskbar notifications via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\tim.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\tim.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open\command C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\ = "Application" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\DefaultIcon C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas\command C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start\command C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\tim.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" C:\Users\Admin\AppData\Local\tim.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\tim.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\ = "exefile" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\start C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\DefaultIcon C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\tim.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas\command C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\start\command C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open\command C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\tim.exe\" -a \"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\ = "Application" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\runas C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start\command C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\Content Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\tim.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\tim.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\tim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\tim.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\663875e015dd282302a9cac9ab98104b_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\663875e015dd282302a9cac9ab98104b_JaffaCakes118.dll,#1

C:\Users\Admin\AppData\Local\tim.exe

"C:\Users\Admin\AppData\Local\tim.exe" -gav C:\Users\Admin\AppData\Local\Temp\663875e015dd282302a9cac9ab98104b_JaffaCakes118.dll

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pivysegocide.com udp
US 8.8.8.8:53 buqajoqunely.com udp
US 8.8.8.8:53 fajomowiqy.com udp
US 8.8.8.8:53 mehyqibugyluf.com udp
US 8.8.8.8:53 ciquqamod.com udp
US 8.8.8.8:53 zaqewoqake.com udp
US 8.8.8.8:53 laqygudumowa.com udp
US 8.8.8.8:53 qacibekuzy.com udp
US 8.8.8.8:53 pukukadajex.com udp
US 8.8.8.8:53 mujinibugemiju.com udp
US 8.8.8.8:53 laxigypopetaju.com udp
US 8.8.8.8:53 divinemeb.com udp
US 8.8.8.8:53 vusysogirebymy.com udp
US 8.8.8.8:53 vuvamewakoq.com udp
US 8.8.8.8:53 hamobamaduro.com udp
US 8.8.8.8:53 cibabewytyl.com udp
US 8.8.8.8:53 jetytozis.com udp
US 8.8.8.8:53 liqugamezono.com udp
US 8.8.8.8:53 resufewanepexu.com udp
US 8.8.8.8:53 jitemeboza.com udp
US 8.8.8.8:53 lawujocot.com udp
US 8.8.8.8:53 lajogitytudaxo.com udp
US 8.8.8.8:53 herovidacege.com udp
US 8.8.8.8:53 xipagymofi.com udp
US 8.8.8.8:53 badodybeqyk.com udp
US 8.8.8.8:53 wekabamysugamy.com udp
US 8.8.8.8:53 vakatesumuhor.com udp
US 8.8.8.8:53 pobazepukatyc.com udp
US 8.8.8.8:53 lecuvubaja.com udp
US 8.8.8.8:53 ryqytobogociw.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft.com udp
US 20.236.44.162:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.236.44.162:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
US 20.236.44.162:80 microsoft.com tcp
NL 20.76.201.171:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.236.44.162:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.112.250.133:80 microsoft.com tcp
AU 20.70.246.20:80 microsoft.com tcp
US 20.236.44.162:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 20.231.239.246:80 microsoft.com tcp
US 8.8.8.8:53 lekecamenobe.com udp
US 8.8.8.8:53 homuvuhyhoh.com udp
US 8.8.8.8:53 bucyguwored.com udp
US 8.8.8.8:53 sopyqatuc.com udp
US 8.8.8.8:53 hiropyfeha.com udp
US 8.8.8.8:53 faxilujome.com udp
US 8.8.8.8:53 tawunohitix.com udp
US 8.8.8.8:53 woboqewehuzu.com udp
US 8.8.8.8:53 duvizazuz.com udp
US 8.8.8.8:53 wisigudyniqixo.com udp
US 8.8.8.8:53 cyzufuzuzasa.com udp
US 8.8.8.8:53 liwajohiboby.com udp
US 8.8.8.8:53 kecolefecozi.com udp
US 8.8.8.8:53 qiwewepynide.com udp
US 8.8.8.8:53 pavahikexu.com udp
US 8.8.8.8:53 lugecunecaxez.com udp
US 8.8.8.8:53 juqesumycuz.com udp
US 8.8.8.8:53 cizubejiwoma.com udp
US 8.8.8.8:53 mijokoquvon.com udp
US 8.8.8.8:53 wacumohuqos.com udp
US 8.8.8.8:53 rukizypufygejy.com udp
US 8.8.8.8:53 jexelabexomeco.com udp
US 8.8.8.8:53 moxopurarite.com udp

Files

memory/2516-0-0x0000000000170000-0x000000000017C000-memory.dmp

memory/2516-1-0x00000000020C0000-0x00000000022AF000-memory.dmp

memory/2516-2-0x00000000020C1000-0x00000000022A4000-memory.dmp

memory/2516-4-0x00000000020C0000-0x00000000022AF000-memory.dmp

\Users\Admin\AppData\Local\tim.exe

MD5 d5dea36c443b95deac1280b776bbe122
SHA1 03043bb6dffb1ab1798a3ca7ef7d6a043d3758f3
SHA256 bbf14a4ab1513dfa19932d3db7622bae2729dfdea6ff6efc0bd87cd668113105
SHA512 39ad3b86403b9cb7113a1c571295da6363ae246d9d2edcbd6ba39cc45d7e9f2bf169602e766a260871b9135c24418deed77ad1db8bce7e431d27bad731665999

memory/2516-13-0x00000000020C0000-0x00000000022AF000-memory.dmp

memory/2516-12-0x00000000020C1000-0x00000000022A4000-memory.dmp

memory/1824-15-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-16-0x0000000000401000-0x00000000005E4000-memory.dmp

memory/1824-17-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-18-0x0000000000401000-0x00000000005E4000-memory.dmp

memory/1824-19-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-20-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-21-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-22-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-23-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-24-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-28-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-29-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-30-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-31-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-32-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1824-33-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/2100-34-0x0000000002B00000-0x0000000002B10000-memory.dmp

memory/1824-35-0x0000000000400000-0x00000000005EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 08:58

Reported

2024-10-21 09:01

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\663875e015dd282302a9cac9ab98104b_JaffaCakes118.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 3872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4960 wrote to memory of 3872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4960 wrote to memory of 3872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\663875e015dd282302a9cac9ab98104b_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\663875e015dd282302a9cac9ab98104b_JaffaCakes118.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3872-0-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

memory/3872-1-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/3872-2-0x0000000000401000-0x00000000005E4000-memory.dmp

memory/3872-3-0x0000000000400000-0x00000000005EF000-memory.dmp