Analysis Overview
SHA256
2dc1258101b1183ad4e08320f15310cad541c900919e98e0816c751fee303306
Threat Level: Known bad
The file JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c was found to be: Known bad.
Malicious Activity Summary
Netwire family
NetWire RAT payload
Netwire
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 07:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 07:23
Reported
2025-05-19 07:26
Platform
win10v2004-20250502-en
Max time kernel
129s
Max time network
146s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4452 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pmbtKQaVLTRS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| IE | 95.100.98.96:443 | www.bing.com | tcp |
| IE | 95.100.98.96:443 | www.bing.com | tcp |
| PL | 185.244.30.51:3373 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| PL | 185.244.30.51:3376 | tcp |
Files
memory/4452-0-0x000000007532E000-0x000000007532F000-memory.dmp
memory/4452-1-0x0000000000290000-0x000000000037C000-memory.dmp
memory/4452-2-0x00000000051E0000-0x0000000005784000-memory.dmp
memory/4452-3-0x0000000004D10000-0x0000000004DA2000-memory.dmp
memory/4452-4-0x0000000004EB0000-0x0000000004EBA000-memory.dmp
memory/4452-5-0x0000000075320000-0x0000000075AD0000-memory.dmp
memory/4452-6-0x0000000004EA0000-0x0000000004EB4000-memory.dmp
memory/4452-7-0x000000007532E000-0x000000007532F000-memory.dmp
memory/4452-8-0x0000000075320000-0x0000000075AD0000-memory.dmp
memory/4452-9-0x0000000005BE0000-0x0000000005C2C000-memory.dmp
memory/4452-10-0x0000000005CD0000-0x0000000005D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCC68.tmp
| MD5 | a576cb63842cb12180dd680f9e5d27d9 |
| SHA1 | e165ae9da935e2a325874b341d3bd8caa4799dd8 |
| SHA256 | 2802cac35a33e3bb08733aed2be12256804f60dfae8f8961d39c31ccc6ec33c6 |
| SHA512 | 3d8dd969795a59745c6c3807def322e603e3a24c086d1d5ebfe95351968923853cce705df2aac0c74dec04c10ab061c0d68891983b4f6a7837b21f94ac443cb9 |
memory/1632-14-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1632-17-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1632-18-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4452-19-0x0000000075320000-0x0000000075AD0000-memory.dmp
memory/1632-20-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-19 07:23
Reported
2025-05-19 07:26
Platform
win11-20250502-en
Max time kernel
129s
Max time network
145s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1588 set thread context of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pmbtKQaVLTRS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF685.tmp"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06eea001fb61532885ae0ce6f95d0b3c.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| PL | 185.244.30.51:3373 | tcp | |
| PL | 185.244.30.51:3376 | tcp |
Files
memory/1588-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
memory/1588-1-0x0000000000150000-0x000000000023C000-memory.dmp
memory/1588-2-0x0000000005170000-0x0000000005716000-memory.dmp
memory/1588-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp
memory/1588-5-0x0000000074F80000-0x0000000075731000-memory.dmp
memory/1588-4-0x0000000004E80000-0x0000000004E8A000-memory.dmp
memory/1588-6-0x0000000004E70000-0x0000000004E84000-memory.dmp
memory/1588-7-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
memory/1588-8-0x0000000074F80000-0x0000000075731000-memory.dmp
memory/1588-9-0x0000000005BA0000-0x0000000005BEC000-memory.dmp
memory/1588-10-0x0000000005C90000-0x0000000005D2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF685.tmp
| MD5 | 9cd42a1f151dde7e5fb9f0d4e143470d |
| SHA1 | 275af60764222f7e468ed0287ec9d4f71184e111 |
| SHA256 | 70458e1fd009030a2babbbc8c58948939882c1c1519da13faf5bad48d9045327 |
| SHA512 | bf6d5f8c5908f923cd089c107cfde235c71205b889a9e6b852ccbd42939b0bc77530e9a1edd462a5d3168d69e7795a01bc5b497fac78ed340c8fa5e1eff17d35 |
memory/3012-14-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3012-16-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3012-18-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1588-19-0x0000000074F80000-0x0000000075731000-memory.dmp
memory/3012-20-0x0000000000400000-0x0000000000433000-memory.dmp