Analysis Overview
SHA256
2b011ffe49624f0ea4c5640fb0c0c1173d03c10254df6d84191541182998dc75
Threat Level: Known bad
The file b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
Pandastealer family
PandaStealer
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 14:43
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pandastealer family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 14:43
Reported
2024-11-29 14:45
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe"
Network
Files
memory/2032-0-0x0000000036EF0000-0x0000000036F00000-memory.dmp
memory/2032-4-0x00000000003A0000-0x0000000000B0A000-memory.dmp
\Users\Admin\AppData\Local\Temp\Office2007.cjstyles
| MD5 | 6c81f596bfda0b754e3514a46ee48119 |
| SHA1 | bc7f447ca8b41beabf26f9556c58292cf8774d7d |
| SHA256 | fc91fbb7d3e77ebc949873d514679be783c100b352d6737c25d1ef47550145bb |
| SHA512 | b8c9789cb3062a5d670b199e586f6bb126c14da450e2bf874d0f1f36b043db61db77542aca411d5bea4a593564405d81520160043e7fbbea3d0d5b63f991dd15 |
memory/2032-5-0x0000000076010000-0x00000000760AD000-memory.dmp
memory/2032-6-0x0000000076DF0000-0x0000000076E90000-memory.dmp
memory/2032-7-0x0000000076E90000-0x0000000076EE7000-memory.dmp
memory/2032-8-0x00000000760E0000-0x00000000762F5000-memory.dmp
memory/2032-10-0x0000000076F01000-0x0000000076F02000-memory.dmp
memory/2032-13-0x0000000076EF0000-0x0000000077000000-memory.dmp
memory/2032-12-0x0000000076EF0000-0x0000000077000000-memory.dmp
memory/2032-11-0x0000000076EF0000-0x0000000077000000-memory.dmp
memory/2032-9-0x0000000075370000-0x0000000075FBA000-memory.dmp
memory/2032-21-0x00000000003A0000-0x0000000000B0A000-memory.dmp
memory/2032-20-0x0000000076EF0000-0x0000000077000000-memory.dmp
memory/2032-19-0x0000000074D00000-0x0000000074D76000-memory.dmp
memory/2032-18-0x0000000074DD0000-0x0000000074E02000-memory.dmp
memory/2032-17-0x0000000077360000-0x000000007738A000-memory.dmp
memory/2032-16-0x0000000074E10000-0x0000000074E61000-memory.dmp
memory/2032-15-0x00000000764F0000-0x000000007657F000-memory.dmp
memory/2032-14-0x0000000075210000-0x000000007536C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 14:43
Reported
2024-11-29 14:45
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
147s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1eb5d4cf77b6c0809b23946030eac58_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4056-0-0x00000000003A0000-0x0000000000B0A000-memory.dmp
memory/4056-1-0x0000000036570000-0x0000000036580000-memory.dmp
memory/4056-2-0x0000000076580000-0x0000000076581000-memory.dmp
memory/4056-3-0x0000000076560000-0x0000000076650000-memory.dmp
memory/4056-4-0x0000000076560000-0x0000000076650000-memory.dmp
memory/4056-9-0x0000000076280000-0x00000000762FA000-memory.dmp
memory/4056-11-0x0000000076280000-0x00000000762FA000-memory.dmp
memory/4056-23-0x0000000074D10000-0x0000000074D3C000-memory.dmp
memory/4056-27-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-28-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-35-0x0000000077380000-0x000000007745C000-memory.dmp
memory/4056-66-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-71-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-70-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-69-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-65-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-64-0x0000000077240000-0x0000000077323000-memory.dmp
memory/4056-63-0x0000000074D10000-0x0000000074D3C000-memory.dmp
memory/4056-62-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-61-0x0000000076300000-0x00000000763AF000-memory.dmp
memory/4056-60-0x0000000075350000-0x00000000753C4000-memory.dmp
memory/4056-56-0x0000000074D10000-0x0000000074D3C000-memory.dmp
memory/4056-52-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-55-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-54-0x0000000076300000-0x00000000763AF000-memory.dmp
memory/4056-53-0x0000000075350000-0x00000000753C4000-memory.dmp
memory/4056-47-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-50-0x0000000076300000-0x00000000763AF000-memory.dmp
memory/4056-49-0x0000000075350000-0x00000000753C4000-memory.dmp
memory/4056-48-0x0000000077660000-0x0000000077685000-memory.dmp
memory/4056-43-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-44-0x0000000075350000-0x00000000753C4000-memory.dmp
memory/4056-42-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-41-0x0000000077240000-0x0000000077323000-memory.dmp
memory/4056-40-0x0000000074D10000-0x0000000074D3C000-memory.dmp
memory/4056-34-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-33-0x0000000077240000-0x0000000077323000-memory.dmp
memory/4056-32-0x0000000074D10000-0x0000000074D3C000-memory.dmp
memory/4056-31-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-30-0x0000000076300000-0x00000000763AF000-memory.dmp
memory/4056-29-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-68-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-67-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-59-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-58-0x0000000077380000-0x000000007745C000-memory.dmp
memory/4056-57-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-51-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-46-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-45-0x0000000076300000-0x00000000763AF000-memory.dmp
memory/4056-39-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-38-0x0000000076300000-0x00000000763AF000-memory.dmp
memory/4056-37-0x0000000075350000-0x00000000753C4000-memory.dmp
memory/4056-36-0x00000000758C0000-0x0000000075E73000-memory.dmp
memory/4056-26-0x0000000077660000-0x0000000077685000-memory.dmp
memory/4056-25-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-24-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-22-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-21-0x0000000077660000-0x0000000077685000-memory.dmp
memory/4056-20-0x0000000076280000-0x00000000762FA000-memory.dmp
memory/4056-19-0x0000000074D10000-0x0000000074D3C000-memory.dmp
memory/4056-17-0x0000000077660000-0x0000000077685000-memory.dmp
memory/4056-16-0x0000000076280000-0x00000000762FA000-memory.dmp
memory/4056-14-0x00000000741F0000-0x000000007426A000-memory.dmp
memory/4056-13-0x0000000074D10000-0x0000000074D3C000-memory.dmp
memory/4056-12-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-18-0x0000000074DC0000-0x0000000074E4D000-memory.dmp
memory/4056-15-0x0000000076280000-0x00000000762FA000-memory.dmp
memory/4056-10-0x00000000741F0000-0x000000007426A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Office2007.cjstyles
| MD5 | 6c81f596bfda0b754e3514a46ee48119 |
| SHA1 | bc7f447ca8b41beabf26f9556c58292cf8774d7d |
| SHA256 | fc91fbb7d3e77ebc949873d514679be783c100b352d6737c25d1ef47550145bb |
| SHA512 | b8c9789cb3062a5d670b199e586f6bb126c14da450e2bf874d0f1f36b043db61db77542aca411d5bea4a593564405d81520160043e7fbbea3d0d5b63f991dd15 |
memory/4056-101-0x00000000003A0000-0x0000000000B0A000-memory.dmp
memory/4056-102-0x0000000076560000-0x0000000076650000-memory.dmp
memory/4056-103-0x0000000076560000-0x0000000076650000-memory.dmp