Malware Analysis Report

2024-12-07 15:03

Sample ID 241030-qkkrrsvrdq
Target 7f57583bb712456c4352e068ab6e9184_JaffaCakes118
SHA256 ab5a5dd0ed8c853ca132ade226fa80b5241ab688d2b39a19bab5287d653b8544
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab5a5dd0ed8c853ca132ade226fa80b5241ab688d2b39a19bab5287d653b8544

Threat Level: Known bad

The file 7f57583bb712456c4352e068ab6e9184_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Simda family

Modifies WinLogon

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 13:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 13:19

Reported

2024-10-30 13:21

Platform

win7-20240903-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe"

Signatures

Simda family

simda

simda

stealer trojan simda

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\82439f2 = "M‰³M{Þ’E=ÔîaK6³\x06J\x1cn³»ëPì\\o\x1aþ\x1cÚFÅ\x16ŒÛŒ=Ÿùg*Ò3Ý`,£.‹x\x14—9æ€2$úªs/c\x04ì\f{\x05pä/w+Dor\x06ÎVû\x13\"l„¡œù\a\x15\x0e²\x0eh\x06¹¡á~TÆï_2/þcs´8u‡´a{\x10GÄ»…‹~ß_\bO‚¤˜þusuï\x05ß••\t¦6á{¸Ó4Ò3\x1eŠF\a±÷ÚFD_Œ\x18ŒËÄ\x10Ìþ~MÀ-½\"äM\aƒ´Ú4œ\x1bêó÷P\x1eŒIO\x0e\x01Ýã¹|ê¶°rêh»\x06•øÖ ÝiÄ#Ë,-…_0H…\b÷÷F÷ŒÚuñ28=—\a˜j\x05¢»\x1bMZÄÝNü{ŒÂ´\x18ÃI:\a&HïZ]\v™u82439f2" C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 95.100.195.15:80 www.bing.com tcp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 galyqaz.com udp
US 172.234.222.143:80 vojyqem.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 8.8.8.8:53 gadyniw.com udp
US 199.191.50.83:80 galyqaz.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 172.67.173.131:80 qegyhig.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 69.162.80.56:80 lysyfyj.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
HK 154.212.231.82:80 gadyniw.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 172.67.173.131:443 qegyhig.com tcp
US 199.59.243.227:80 survey-smiles.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 172.67.173.131:443 qegyhig.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 172.67.136.136:80 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pupycag.com udp
US 104.155.138.21:80 lygynud.com tcp
US 8.8.8.8:53 lyrysor.com udp
US 18.208.156.248:80 pupycag.com tcp
CN 111.6.96.18:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 172.67.136.136:443 lysyvan.com tcp

Files

memory/2872-0-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2872-1-0x0000000000290000-0x00000000002E8000-memory.dmp

memory/2872-2-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2872-3-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2872-4-0x0000000001DE0000-0x0000000001E94000-memory.dmp

memory/2872-6-0x0000000001DE0000-0x0000000001E94000-memory.dmp

memory/2872-8-0x0000000001DE0000-0x0000000001E94000-memory.dmp

memory/2872-10-0x0000000001DE0000-0x0000000001E94000-memory.dmp

memory/2872-14-0x0000000001DE0000-0x0000000001E94000-memory.dmp

memory/2872-15-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2872-12-0x0000000001DE0000-0x0000000001E94000-memory.dmp

memory/2872-16-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-18-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-22-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-20-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-54-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-56-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-60-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-55-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-57-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-58-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-79-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-59-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-62-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-92-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-61-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-63-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-65-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-64-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-66-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-67-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-68-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-73-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-76-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-97-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-96-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-95-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-94-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-93-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-91-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-90-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-89-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-88-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-87-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-86-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-85-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-84-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-83-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-82-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-81-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-80-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-78-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-77-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-75-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-74-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-72-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-71-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-70-0x00000000027A0000-0x0000000002863000-memory.dmp

memory/2872-69-0x00000000027A0000-0x0000000002863000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\396.tmp

MD5 8aeb3c3ed6df6d1489b61be4bb282c2f
SHA1 0eb1fd79669c8b54e338c5cf2145b3fe265c231e
SHA256 e107d4800424c74a05664fc1660ca9dff83146d4f288dc34ddb03639f5d29267
SHA512 a802bbefb667190982f6fe67b8cb6c7609ffc439d7edffda20c0de09c99819da1a370aad6bffff51d4fa91d369923d9d44b466040f4f3baad1f2d1e69cde9350

C:\Users\Admin\AppData\Local\Temp\346.tmp

MD5 a19b22b13067480da79ea9f5e78bbde1
SHA1 096d62a600b2ce0a3041c27ca0cf672902c5e467
SHA256 ca4ff023cc7850a2fbc6426561c4924b3a06fcc276cdc4cf60746c087388d95b
SHA512 ea6e3c218bdc56d156683c4d024a0c0e00b628af42c9f7fcd837b95aba36a2d452fbe14440654b5c46cc8486279a599a47b69011c1257b44895d67caff761d49

memory/2872-218-0x0000000000290000-0x00000000002E8000-memory.dmp

memory/2872-219-0x0000000000400000-0x0000000000464000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 13:19

Reported

2024-10-30 13:21

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f57583bb712456c4352e068ab6e9184_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A