Analysis Overview
SHA256
c613719eb016e14e37d9848b5b49c5406ce492ec09cc7b751bcd393a822d5027
Threat Level: Shows suspicious behavior
The file JaffaCakes118_439286137108822ef85b7c6e6a48507d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:54
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\SVCHOSI.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Deleteme.bat | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\SVCHOSI.EXE | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\SVCHOSI.EXE | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| File created | C:\Program Files\Internet Explorer\servise.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\servise.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Internet Explorer\SVCHOSI.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe"
C:\Program Files\Internet Explorer\SVCHOSI.EXE
"C:\Program Files\Internet Explorer\SVCHOSI.EXE" -NETBC
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\Deleteme.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.163.com | udp |
| US | 8.8.8.8:53 | gree44.3322.org | udp |
| US | 8.8.8.8:53 | www.163.com | udp |
Files
memory/2476-0-0x0000000000400000-0x0000000000556000-memory.dmp
memory/2476-1-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2476-2-0x0000000000400000-0x0000000000556000-memory.dmp
memory/2476-3-0x0000000000340000-0x0000000000341000-memory.dmp
C:\Program Files\Internet Explorer\SVCHOSI.EXE
| MD5 | 439286137108822ef85b7c6e6a48507d |
| SHA1 | d83ad3e686031cf8eae13aa6aa4900e0570ae35c |
| SHA256 | c613719eb016e14e37d9848b5b49c5406ce492ec09cc7b751bcd393a822d5027 |
| SHA512 | 993cd318bc62fb9073c7d9ada8c87b43d821678caae31fb80915da473dab00ab17bd9cf7ff145cd50008fc619e16b6a2a0bce3e78710851c267ae8abdde38b35 |
memory/2476-18-0x0000000002FD0000-0x0000000003126000-memory.dmp
memory/308-20-0x0000000000400000-0x0000000000556000-memory.dmp
memory/2476-17-0x0000000002FD0000-0x0000000003126000-memory.dmp
memory/308-22-0x0000000000270000-0x0000000000271000-memory.dmp
C:\Windows\SysWOW64\Deleteme.bat
| MD5 | 77af4eb3445c82345aab63161a71c90d |
| SHA1 | b5062500839862f796676fa761d288b7de090b99 |
| SHA256 | 44cdada70fade48284d04f958cb08ad7f3907e90b050478d19a8920355355d30 |
| SHA512 | ddb11264b37b8a6a0dd3402a55ccb9e4502e12fbbbd8bfde6bb62141cb3400fce3234e1cb33e57f7d15dece82b10ccdf6c1ca2fe00f4805ec5fb5325907daa75 |
memory/2476-30-0x0000000000400000-0x0000000000556000-memory.dmp
memory/308-32-0x0000000000400000-0x0000000000556000-memory.dmp
memory/308-33-0x0000000000270000-0x0000000000271000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:51
Reported
2025-01-27 20:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\SVCHOSI.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Deleteme.bat | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\SVCHOSI.EXE | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\SVCHOSI.EXE | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| File created | C:\Program Files\Internet Explorer\servise.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\servise.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Internet Explorer\SVCHOSI.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 4372 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | C:\Program Files\Internet Explorer\SVCHOSI.EXE |
| PID 1208 wrote to memory of 4372 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | C:\Program Files\Internet Explorer\SVCHOSI.EXE |
| PID 1208 wrote to memory of 4372 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | C:\Program Files\Internet Explorer\SVCHOSI.EXE |
| PID 1208 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1208 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1208 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_439286137108822ef85b7c6e6a48507d.exe"
C:\Program Files\Internet Explorer\SVCHOSI.EXE
"C:\Program Files\Internet Explorer\SVCHOSI.EXE" -NETBC
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.163.com | udp |
| US | 8.8.8.8:53 | gree44.3322.org | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gree44.3322.org | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.163.com | udp |
| US | 8.8.8.8:53 | gree44.3322.org | udp |
Files
memory/1208-0-0x0000000000400000-0x0000000000556000-memory.dmp
memory/1208-1-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/1208-2-0x0000000000400000-0x0000000000556000-memory.dmp
memory/1208-3-0x0000000002310000-0x0000000002311000-memory.dmp
C:\Program Files\Internet Explorer\SVCHOSI.EXE
| MD5 | 439286137108822ef85b7c6e6a48507d |
| SHA1 | d83ad3e686031cf8eae13aa6aa4900e0570ae35c |
| SHA256 | c613719eb016e14e37d9848b5b49c5406ce492ec09cc7b751bcd393a822d5027 |
| SHA512 | 993cd318bc62fb9073c7d9ada8c87b43d821678caae31fb80915da473dab00ab17bd9cf7ff145cd50008fc619e16b6a2a0bce3e78710851c267ae8abdde38b35 |
memory/4372-15-0x0000000000400000-0x0000000000556000-memory.dmp
memory/4372-14-0x0000000000400000-0x0000000000556000-memory.dmp
memory/4372-16-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/1208-19-0x0000000000400000-0x0000000000556000-memory.dmp
C:\Windows\SysWOW64\Deleteme.bat
| MD5 | 77af4eb3445c82345aab63161a71c90d |
| SHA1 | b5062500839862f796676fa761d288b7de090b99 |
| SHA256 | 44cdada70fade48284d04f958cb08ad7f3907e90b050478d19a8920355355d30 |
| SHA512 | ddb11264b37b8a6a0dd3402a55ccb9e4502e12fbbbd8bfde6bb62141cb3400fce3234e1cb33e57f7d15dece82b10ccdf6c1ca2fe00f4805ec5fb5325907daa75 |
memory/4372-22-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/4372-21-0x0000000000400000-0x0000000000556000-memory.dmp
memory/4372-23-0x00000000006D0000-0x00000000006D1000-memory.dmp