Overview

overview

10

Static

static

3

JaffaCakes...20.exe

windows7-x64

10

JaffaCakes...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_11a217ba00b5b7debc4e3afebcbd9320.exe

  • Size

    13.1MB

  • MD5

    11a217ba00b5b7debc4e3afebcbd9320

  • SHA1

    f5e713e1fe39731c1c8981d6c17071fe5632ebc5

  • SHA256

    c2f0e9bc6250ec69641cb2531d1a7d4cafcb35cf6806051d95b5c65fdd9cd9a1

  • SHA512

    5b4a83c2b11c7cc7dad01a877cbfbd55328b808867c2bd6bf83bddcb9188d82f82c2ec5aaa6dfde0a60f5104c5876b3d9829cb5a3ec26665bda1bfec5d91b5c7

  • SSDEEP

    196608:bZS+hQW1n/RNrlHAjoG+IGCsXDjDyfh9qVv4DFd4ff7ROZkJIGnMFFnblHgdRcwR:9hQgZxlHOFGCEDs9/DX4gZkGnZHk

Score
10/10
asyncratwindows securitydiscoverypersistencepyinstallerrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.6

Botnet

Windows Security

C2

91.193.75.169:4782

Mutex

DcRatMutex_qwqdanchuk

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Security.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 19 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11a217ba00b5b7debc4e3afebcbd9320.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11a217ba00b5b7debc4e3afebcbd9320.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Roaming\Windows App Security\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows App Security\Windows Security.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Users\Admin\AppData\Roaming\Windows App Security\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\Windows App Security\Windows Security.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "Windows Security" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security.exe"'
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3168
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC69C.tmp.bat""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3856
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4228
          • C:\Users\Admin\AppData\Roaming\Windows Security.exe
            "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Users\Admin\AppData\Roaming\Windows Security.exe
              "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3664
    • C:\Users\Admin\AppData\Roaming\v7.5.exe
      "C:\Users\Admin\AppData\Roaming\v7.5.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Users\Admin\AppData\Roaming\v7.5.exe
        "C:\Users\Admin\AppData\Roaming\v7.5.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe.log
    Filesize

    507B

    MD5

    8cf94b5356be60247d331660005941ec

    SHA1

    fdedb361f40f22cb6a086c808fc0056d4e421131

    SHA256

    52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

    SHA512

    b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\VCRUNTIME140.dll
    Filesize

    93KB

    MD5

    4a365ffdbde27954e768358f4a4ce82e

    SHA1

    a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

    SHA256

    6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

    SHA512

    54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\_bz2.pyd
    Filesize

    84KB

    MD5

    e91b4f8e1592da26bacaceb542a220a8

    SHA1

    5459d4c2147fa6db75211c3ec6166b869738bd38

    SHA256

    20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f

    SHA512

    cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\_ctypes.pyd
    Filesize

    124KB

    MD5

    6fe3827e6704443e588c2701568b5f89

    SHA1

    ac9325fd29dead82ccd30be3ee7ee91c3aaeb967

    SHA256

    73acf2e0e28040cd696255abd53caaa811470b17a07c7b4d5a94f346b7474391

    SHA512

    be2502c006a615df30e61bea138bd1afca30640f39522d18db94df293c71df0a86c88df5fd5d8407daf1ccea6fac012d086212a3b80b8c32ede33b937881533a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\_hashlib.pyd
    Filesize

    64KB

    MD5

    7c69cb3cb3182a97e3e9a30d2241ebed

    SHA1

    1b8754ff57a14c32bcadc330d4880382c7fffc93

    SHA256

    12a84bacb071b1948a9f751ac8d0653ba71a8f6b217a69fe062608e532065c20

    SHA512

    96dbabbc6b98d473cbe06dcd296f6c6004c485e57ac5ba10560a377393875192b22df8a7103fe4a22795b8d81b8b0ae14ce7646262f87cb609b9e2590a93169e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\_lzma.pyd
    Filesize

    159KB

    MD5

    493c33ddf375b394b648c4283b326481

    SHA1

    59c87ee582ba550f064429cb26ad79622c594f08

    SHA256

    6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16

    SHA512

    a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\_queue.pyd
    Filesize

    28KB

    MD5

    103a38f7fbf0da48b8611af309188011

    SHA1

    1db9e2cb2a92243da12efdca617499eb93ddcbf8

    SHA256

    3bc50ac551635b9ce6fbcddea5d3d621c1216e49e9958fa24546ab8f6f2d111a

    SHA512

    2e6c4b9786034cbf6a6d94761ed31807657ee10edd679147c838a2e6e97a0c13acd6e59bc6e69edf1ca725f12e0f972a0de0ae4b331da46dccd687c59096a250

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\_socket.pyd
    Filesize

    78KB

    MD5

    fd1cfe0f0023c5780247f11d8d2802c9

    SHA1

    5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc

    SHA256

    258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6

    SHA512

    b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\_ssl.pyd
    Filesize

    151KB

    MD5

    34b1d4db44fc3b29e8a85dd01432535f

    SHA1

    3189c207370622c97c7c049c97262d59c6487983

    SHA256

    e4aa33b312cec5aa5a0b064557576844879e0dccc40047c9d0a769a1d03f03f6

    SHA512

    f5f3dcd48d01aa56bd0a11eee02c21546440a59791ced2f85cdac81da1848ef367a93ef4f10fa52331ee2edea93cbcc95a0f94c0ccefa5d19e04ae5013563aee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\base_library.zip
    Filesize

    763KB

    MD5

    351393fc3c27e6196f1d2900ed7fb63b

    SHA1

    5de89626d5c4ca194a27fc81435af2a9343de5f0

    SHA256

    265e656d9b804fee1ac2d39e9caa356ec3d3786faa21f202e8ed4eb371b32737

    SHA512

    84894a3820f3221475afe98080abbfa350b16aab4aa57231279408bc080ac256ed7b31c37ad72a3949e584badda399dee28ffa4bb54bd70b5b05164c0322c764

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\libcrypto-1_1.dll
    Filesize

    3.2MB

    MD5

    89511df61678befa2f62f5025c8c8448

    SHA1

    df3961f833b4964f70fcf1c002d9fd7309f53ef8

    SHA256

    296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

    SHA512

    9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\libffi-7.dll
    Filesize

    32KB

    MD5

    eef7981412be8ea459064d3090f4b3aa

    SHA1

    c60da4830ce27afc234b3c3014c583f7f0a5a925

    SHA256

    f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

    SHA512

    dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\libssl-1_1.dll
    Filesize

    674KB

    MD5

    50bcfb04328fec1a22c31c0e39286470

    SHA1

    3a1b78faf34125c7b8d684419fa715c367db3daa

    SHA256

    fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9

    SHA512

    370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\lxml\_elementpath.cp39-win_amd64.pyd
    Filesize

    141KB

    MD5

    701e543c4c9d3b42228e9f342d0e8eec

    SHA1

    9f2d69a5d0174ea4eca3b59bfe41c9d09c94fc8b

    SHA256

    ec553dec8c3cf836195798198a74911b4d5823a69c0bb4b89336a348255a1313

    SHA512

    3a88da4931e95cc9d1712fc27f17e9d706a7144cdce4b6380a18286ceaa9976cd5c50d60d143e4e9f11168e217248f1ce7a7d6affb4034c522ebf8132d22e7e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\lxml\etree.cp39-win_amd64.pyd
    Filesize

    3.7MB

    MD5

    8e6b4996bd22623395bc39237e86b4a0

    SHA1

    02f8ad01a86021a3b5256fc090e233bf8c89a417

    SHA256

    ed1922cc9f54372b575a54c2d4588036f811b423929da55d0d735e1664700eec

    SHA512

    fe85d384b5aa332a7f620a04177b7fe5ca5aac3c481c8131fec4cb922168f3d201692eaabee118f606eeb41390a1dbce31e51e36d5030f38f6a081d2796cb0a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\python3.DLL
    Filesize

    58KB

    MD5

    e438f5470c5c1cb5ddbe02b59e13ad2c

    SHA1

    ec58741bf0be7f97525f4b867869a3b536e68589

    SHA256

    1dc81d8066d44480163233f249468039d3de97e91937965e7a369ae1499013da

    SHA512

    bd8012b167dd37bd5b57521ca91ad2c9891a61866558f2cc8e80bb029d6f7d73c758fb5be7a181562640011e8b4b54afa3a12434ba00f445c1a87b52552429d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\python39.dll
    Filesize

    4.3MB

    MD5

    5cd203d356a77646856341a0c9135fc6

    SHA1

    a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

    SHA256

    a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

    SHA512

    390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\select.pyd
    Filesize

    28KB

    MD5

    0e3cf5d792a3f543be8bbc186b97a27a

    SHA1

    50f4c70fce31504c6b746a2c8d9754a16ebc8d5e

    SHA256

    c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460

    SHA512

    224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\ucrtbase.dll
    Filesize

    971KB

    MD5

    bd8b198c3210b885fe516500306a4fcf

    SHA1

    28762cb66003587be1a59c2668d2300fce300c2d

    SHA256

    ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2

    SHA512

    c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI36122\unicodedata.pyd
    Filesize

    1.1MB

    MD5

    7af51031368619638cca688a7275db14

    SHA1

    64e2cc5ac5afe8a65af690047dc03858157e964c

    SHA256

    7f02a99a23cc3ff63ecb10ba6006e2da7bf685530bad43882ebf90d042b9eeb6

    SHA512

    fbde24501288ff9b06fc96faff5e7a1849765df239e816774c04a4a6ef54a0c641adf4325bfb116952082d3234baef12288174ad8c18b62407109f29aa5ab326

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC69C.tmp.bat
    Filesize

    160B

    MD5

    21620b5a920b9e7e50c1bc26d27597b4

    SHA1

    320d26a191d22c2513e6284427186ba18e5913ed

    SHA256

    2fd9e35d6a0d477bb5af67130a207605ddc6fa08c439d6d47261d800240869b2

    SHA512

    b97cb405dcbeae913d3e101b27d75e8e8a68613e2f19674e26e9f23588742c5577b6d76a2e838f53c455c4862389a59269ee31e5fba9672123964cc3c8a51d5d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows App Security\Windows Security.exe
    Filesize

    388KB

    MD5

    ca18c5fd9ea0891f2d9ddd5dc0ce6803

    SHA1

    14013456f95550fb296a5d5a469376b039d85a1b

    SHA256

    c92dafeba51c0072fd15a52ade6e0fea4624b62dca789fb0dbe6c6a3543e2023

    SHA512

    31c7a5b020e2a27c01a42393f45b119f2789fa0f9a81b8de46cbc910c7cd111f17e017335a9a52f1d04d5ebf33a7bb2a49ac9bd1333378e0c750d3b02a703c90

    Download Submit

  • C:\Users\Admin\AppData\Roaming\v7.5.exe
    Filesize

    12.5MB

    MD5

    c69141d72c70ce1f063c80b87c902771

    SHA1

    2890e6aee7c6f0909b09b5ed7179233faceb5f4d

    SHA256

    a0d38565bc116b80ff94ab357703891398f9b48970196763108f0593c1ac5a20

    SHA512

    c42ac50052e877039f07d95c98455cae8985e2c4fc63c02ea1913527cf28a4c3e587d0eb2747273fe4c4fa3763679d8470f7d9b4683165f73aa4fc4960ff48bd

    Download Submit

  • memory/1208-24-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1208-0-0x0000000075102000-0x0000000075103000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1208-1-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1208-2-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1684-108-0x0000000072270000-0x0000000072A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1684-100-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1684-173-0x0000000072270000-0x0000000072A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1684-129-0x0000000072270000-0x0000000072A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3848-86-0x0000000006010000-0x00000000065B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3848-25-0x0000000072270000-0x0000000072A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3848-90-0x0000000005A60000-0x0000000005AF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3848-20-0x0000000000FC0000-0x0000000001028000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3848-91-0x0000000005B00000-0x0000000005B9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3848-19-0x000000007227E000-0x000000007227F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3848-93-0x0000000005880000-0x000000000588A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3848-110-0x0000000072270000-0x0000000072A20000-memory.dmp

    Filesize

    7.7MB

    Download