Analysis Overview
SHA256
4e201af7f5247616567a18647dac8dc88189e98ef7aba65990cf2f6190ddea1d
Threat Level: Likely malicious
The file JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004 was found to be: Likely malicious.
Malicious Activity Summary
Disables taskbar notifications via registry modification
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies system executable filetype association
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:40
Reported
2025-01-15 16:43
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Disables taskbar notifications via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kcy.exe\" -a \"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\ = "Application" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1796 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe |
| PID 2468 set thread context of 2616 | N/A | C:\Users\Admin\AppData\Local\kcy.exe | C:\Users\Admin\AppData\Local\kcy.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\DefaultIcon | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\ = "Application" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kcy.exe\" -a \"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\ = "exefile" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kcy.exe\" -a \"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\kcy.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"
C:\Users\Admin\AppData\Local\kcy.exe
"C:\Users\Admin\AppData\Local\kcy.exe" -gav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\kcy.exe
"C:\Users\Admin\AppData\Local\kcy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wolycunanoqe.com | udp |
| US | 8.8.8.8:53 | gokuzajylot.com | udp |
| US | 8.8.8.8:53 | cujicaraso.com | udp |
| US | 8.8.8.8:53 | jafybobik.com | udp |
| US | 8.8.8.8:53 | cylakydugudi.com | udp |
| US | 8.8.8.8:53 | gicyxepomer.com | udp |
| US | 8.8.8.8:53 | sakafiduzipame.com | udp |
| US | 8.8.8.8:53 | kytevaviqopoci.com | udp |
| US | 8.8.8.8:53 | tetagyjaj.com | udp |
| US | 8.8.8.8:53 | gopilezavyxiro.com | udp |
| US | 8.8.8.8:53 | celisesuho.com | udp |
| US | 8.8.8.8:53 | zequcitamado.com | udp |
| US | 8.8.8.8:53 | qupajubica.com | udp |
| US | 8.8.8.8:53 | hivanedak.com | udp |
| US | 8.8.8.8:53 | jumonevetode.com | udp |
| US | 8.8.8.8:53 | zuzosahule.com | udp |
| US | 8.8.8.8:53 | nizokatahinery.com | udp |
| US | 8.8.8.8:53 | kynugypenihyf.com | udp |
| US | 8.8.8.8:53 | fevahanybyvu.com | udp |
| US | 8.8.8.8:53 | bemojewedowigo.com | udp |
| US | 8.8.8.8:53 | wamojafadezy.com | udp |
| US | 8.8.8.8:53 | jerakidukojoz.com | udp |
| US | 8.8.8.8:53 | cixovatywo.com | udp |
| US | 8.8.8.8:53 | vakyditefo.com | udp |
| US | 8.8.8.8:53 | wetotyger.com | udp |
| US | 8.8.8.8:53 | pikilokykizanu.com | udp |
| US | 8.8.8.8:53 | bemolaqijicy.com | udp |
| US | 8.8.8.8:53 | tisatosyhimidy.com | udp |
| US | 8.8.8.8:53 | rorodarof.com | udp |
| US | 8.8.8.8:53 | dafatesomyz.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.231.239.246:80 | microsoft.com | tcp |
| US | 20.231.239.246:80 | microsoft.com | tcp |
| US | 20.231.239.246:80 | microsoft.com | tcp |
| US | 20.236.44.162:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| US | 20.231.239.246:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| NL | 20.76.201.171:80 | microsoft.com | tcp |
| US | 20.236.44.162:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| AU | 20.70.246.20:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | tydiligobev.com | udp |
| US | 8.8.8.8:53 | gehafovykylyra.com | udp |
| US | 8.8.8.8:53 | kisixoruv.com | udp |
| US | 8.8.8.8:53 | nivipizojiri.com | udp |
| US | 8.8.8.8:53 | zananyjyfu.com | udp |
| US | 8.8.8.8:53 | sitytonamov.com | udp |
| US | 8.8.8.8:53 | roxodepyg.com | udp |
| US | 8.8.8.8:53 | qynolyryviry.com | udp |
| US | 8.8.8.8:53 | letymisanatij.com | udp |
| US | 8.8.8.8:53 | mabodifotykit.com | udp |
| US | 8.8.8.8:53 | ledixynuj.com | udp |
| US | 8.8.8.8:53 | rulofagazetali.com | udp |
| US | 8.8.8.8:53 | rysyhodok.com | udp |
| US | 8.8.8.8:53 | sydocohevabu.com | udp |
| US | 8.8.8.8:53 | jeqovejurejel.com | udp |
| US | 8.8.8.8:53 | huwyzoluxa.com | udp |
| US | 8.8.8.8:53 | qupofajojuh.com | udp |
| US | 8.8.8.8:53 | hytyvuweso.com | udp |
| US | 8.8.8.8:53 | fuzugomaqeriwy.com | udp |
| US | 8.8.8.8:53 | dyfosinyfileti.com | udp |
| US | 8.8.8.8:53 | hyvijinymut.com | udp |
| US | 8.8.8.8:53 | vazevanyxora.com | udp |
| US | 8.8.8.8:53 | vibixydyf.com | udp |
Files
memory/1796-0-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1324-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1324-9-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/1324-12-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/1796-10-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1324-8-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/1324-5-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/1324-1-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/1324-3-0x0000000000400000-0x00000000005F1000-memory.dmp
\Users\Admin\AppData\Local\kcy.exe
| MD5 | 5c7539eb8bd4f1de9ee82d82fb579004 |
| SHA1 | a14b51d2a28e6a87e1a70af3d1c509eb48e1ad29 |
| SHA256 | 4e201af7f5247616567a18647dac8dc88189e98ef7aba65990cf2f6190ddea1d |
| SHA512 | 2d717942490de0aa5e01c01c44d2e982a725519e61dc4959c9147f8a959b3d212509b98734423d2b03b7bfb8d304043affd4b8c0d0cac0cd2ab33be084313e81 |
memory/1324-21-0x0000000000900000-0x0000000000939000-memory.dmp
memory/1324-24-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2468-25-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1324-20-0x0000000000900000-0x0000000000939000-memory.dmp
memory/2468-36-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2616-37-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-38-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-40-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-71-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-70-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-73-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-74-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-75-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-76-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-77-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-80-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-79-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-78-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-81-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-82-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-122-0x0000000000400000-0x00000000005F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:40
Reported
2025-01-15 16:44
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2616 set thread context of 3112 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/2616-0-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3112-1-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/3112-2-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/3112-4-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/2616-3-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3112-5-0x0000000000400000-0x00000000005F1000-memory.dmp