Analysis Overview
SHA256
665eb5f535fb0f782e2484a043c69bd500d0ff305571554dde5969588d57a9ca
Threat Level: Shows suspicious behavior
The file 8303224aaa5db71190160308fe80deed_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Executes dropped EXE
Reads local data of messenger clients
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 12:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 12:24
Reported
2024-10-31 13:22
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ctfmon.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2096 set thread context of 3532 | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\ctfmon.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p8rgmf_7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA336.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp"
C:\Users\Admin\AppData\Roaming\ctfmon.exe
C:\Users\Admin\AppData\Roaming\ctfmon.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/2096-0-0x0000000074A62000-0x0000000074A63000-memory.dmp
memory/2096-1-0x0000000074A60000-0x0000000075011000-memory.dmp
memory/2096-2-0x0000000074A60000-0x0000000075011000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\p8rgmf_7.cmdline
| MD5 | 87a5ac72919fa975d063abe109e2fe41 |
| SHA1 | 08ef8ba471b330866f2fd1ac26b9c0168521b3a9 |
| SHA256 | 0b6c7ddbbaea6dbcf3d0a2de0db82a51f3cea54fe6f6e1878c314d43c1ed78df |
| SHA512 | 8f951f519970c701d7c3f883a216930fae4386cfb5b74c911ccbe986ce779b10094e1be6bfc9ad8bda46cb85fa5b7b8c44dd14ea972e0bcfd3d31fe0c33590a5 |
\??\c:\Users\Admin\AppData\Local\Temp\p8rgmf_7.0.cs
| MD5 | 2216d197bc442e875016eba15c07a937 |
| SHA1 | 37528e21ea3271b85d276c6bd003e6c60c81545d |
| SHA256 | 2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af |
| SHA512 | 7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f |
memory/1284-9-0x0000000074A60000-0x0000000075011000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp
| MD5 | c07aaa3881e69bce52aa21297480d6e0 |
| SHA1 | 043ce3f67cc38909bbc9983de4b4a0e7ac9def1b |
| SHA256 | 9b4d1d48fb580afa59d299eaaaee605d113f8bafa93b8fce5f52bad5450bd298 |
| SHA512 | 5708b180c6a4b1bcedc569f611bc254062bd6e7aa66600fc7eb35fa03568cd981d1cdcff9276b379978926c126747e495653dcd065a3fd552239b40989decedf |
C:\Users\Admin\AppData\Local\Temp\RESA336.tmp
| MD5 | 28a0995f7c2b0c3675cc827790773dc8 |
| SHA1 | 765c7cc577c12ce8df1e4ee88c11627481e18eb3 |
| SHA256 | 4fa0e119c99a780bc87eea3cc3dd37a7f5ffc7301f53b3069ea15e7b20545acb |
| SHA512 | d06994e0220ff34c3e21716f7e289b113845004d29d0cc73b6c65bb4b6c3c3c97f079652310eaa542097aa20aec7a3d7dfb9a028faad95534d9c2b07e7a34e4e |
C:\Users\Admin\AppData\Local\Temp\p8rgmf_7.dll
| MD5 | 30dafadade8850dcb3218fe9133aff95 |
| SHA1 | 5218b9eb01f290934b8ba931722a87aa63b5f586 |
| SHA256 | 8ed9f75bd8196681462b42c1a08264dc50a0fa515df6a0822e0ca6f93c9d657b |
| SHA512 | aca7aabb3555aaafcaa58702db98ee4f31baf1a48562ff80945b385827e9f86b2423c8e53856429eb3d14750e2f4b74f85daa2a907d27f755bd974df72e314fe |
memory/1284-16-0x0000000074A60000-0x0000000075011000-memory.dmp
C:\Users\Admin\AppData\Roaming\ctfmon.exe
| MD5 | e32cdc2a701efc0c43ba95d99bcf9e32 |
| SHA1 | 2b293b5c64fabea0e7b4c23e519829ce3fc2da0e |
| SHA256 | da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e |
| SHA512 | 7cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6 |
memory/3532-20-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3532-25-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3532-27-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2096-26-0x0000000074A60000-0x0000000075011000-memory.dmp
memory/3532-30-0x0000000000400000-0x0000000000458000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 12:24
Reported
2024-10-31 13:22
Platform
win7-20240903-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ctfmon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\ctfmon.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xavzurb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5E3.tmp"
C:\Users\Admin\AppData\Roaming\ctfmon.exe
C:\Users\Admin\AppData\Roaming\ctfmon.exe
Network
Files
memory/2384-0-0x0000000074A21000-0x0000000074A22000-memory.dmp
memory/2384-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp
memory/2384-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\4xavzurb.cmdline
| MD5 | 75e249519e1942172ca77381b71dcf93 |
| SHA1 | bdef99d25d60059c1768a3a5fb43bd9b7c045664 |
| SHA256 | 2969546ead7e1b81f57c03bc4ebee0dee0bb0191eedbc80709c996525beb29ad |
| SHA512 | 073e03fc6d107bb08db06e0230fc0c11ee2ee6d5abb034ff27eb29626f3a85fd4d7e819d5836a22b603fba7c5a13a92d092b007f69ea6f394cc3e1dc915daa95 |
\??\c:\Users\Admin\AppData\Local\Temp\4xavzurb.0.cs
| MD5 | 2216d197bc442e875016eba15c07a937 |
| SHA1 | 37528e21ea3271b85d276c6bd003e6c60c81545d |
| SHA256 | 2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af |
| SHA512 | 7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f |
memory/2744-9-0x0000000074A20000-0x0000000074FCB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCF5E3.tmp
| MD5 | 4080c61ae44490976eaa94f11f2e9de0 |
| SHA1 | 1a536aec4723fb9bfea9919beb712cc845182c15 |
| SHA256 | a7fbb0d557a808ed977d09b8914f2387a2a23e65c93c5e00792e90bc27881d78 |
| SHA512 | 5efe09c3edfae3acea1f7dcf81d6fb8a3b90f13efdf239d60cd5e3841a5efd2b7812a68f80b79d1c3d097c0f111ae9a8309d20679218c97c4dde145a69f8a042 |
C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp
| MD5 | 4bd860abfa72107a70d7a4d3903cbaeb |
| SHA1 | 5c23c19e46c1c272d2c1ea6b1d2d78a9ac1fbadc |
| SHA256 | 441c8d8439bdb51c829a535bd797c8756b19f0dc95818844d231c064a3523c13 |
| SHA512 | 958ddb47edc119142beb28f25dfb3b0bf153b307e03ba39d682cde7180322f6c9472cf93c05e051793eced83e8356cc1215811864de0d45aa9ccc09f72fa0d09 |
memory/2744-16-0x0000000074A20000-0x0000000074FCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4xavzurb.dll
| MD5 | 1b582355a571c1e18da584d78600be64 |
| SHA1 | 143b8227eb9aeba18e905a0051c923c03572db9b |
| SHA256 | 0c5a111bc81a948fb8fa80bf8f831655b45c0dab8b82687b40e68cb8077399b8 |
| SHA512 | 417c70e3134effa0b2e0466fac5ceafbf71ca9482e369137732da05d8c2d64e250c745b7c83922d6d677a83c78c280bb7d98c657fb159ea7571bbb3484bf9a53 |
memory/2664-41-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2664-40-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Roaming\ctfmon.exe
| MD5 | e32cdc2a701efc0c43ba95d99bcf9e32 |
| SHA1 | 2b293b5c64fabea0e7b4c23e519829ce3fc2da0e |
| SHA256 | da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e |
| SHA512 | 7cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6 |
memory/2664-37-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2664-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2664-33-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2664-31-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2664-29-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2664-27-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2664-25-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2384-46-0x0000000074A20000-0x0000000074FCB000-memory.dmp
memory/2664-44-0x0000000000400000-0x0000000000458000-memory.dmp