Analysis Overview
SHA256
74e7f6690f05ee4303f5de3880170df6306736508c2227c4aa319c799051b428
Threat Level: Known bad
The file babccaf657298d70471771c106155a7d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Tinba / TinyBanker
Adds Run key to start application
Program crash
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 14:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 14:28
Reported
2024-04-04 14:31
Platform
win7-20240221-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Tinba / TinyBanker
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\006E673E = "C:\\Users\\Admin\\AppData\\Roaming\\006E673E\\bin.exe" | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe"
C:\Windows\SysWOW64\winver.exe
winver
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | ggvruxovlbrm.com | udp |
| US | 216.218.185.162:80 | ggvruxovlbrm.com | tcp |
| US | 8.8.8.8:53 | qvvksmeemfgd.com | udp |
| US | 216.218.185.162:80 | qvvksmeemfgd.com | tcp |
| US | 8.8.8.8:53 | ibcbbgggowdg.com | udp |
| US | 216.218.185.162:80 | ibcbbgggowdg.com | tcp |
| US | 8.8.8.8:53 | kkiubtneyqpo.com | udp |
| US | 216.218.185.162:80 | kkiubtneyqpo.com | tcp |
| US | 8.8.8.8:53 | bghcrqiinvvv.com | udp |
| US | 216.218.185.162:80 | bghcrqiinvvv.com | tcp |
| US | 8.8.8.8:53 | oxieqhkwwtub.com | udp |
| US | 8.8.8.8:53 | oxieqhkwwtub.net | udp |
| US | 216.218.185.162:80 | oxieqhkwwtub.net | tcp |
| US | 8.8.8.8:53 | cbggtmpgovbj.com | udp |
| US | 8.8.8.8:53 | cbggtmpgovbj.net | udp |
| US | 8.8.8.8:53 | cbggtmpgovbj.info | udp |
| US | 216.218.185.162:80 | cbggtmpgovbj.info | tcp |
| US | 8.8.8.8:53 | rpphttiihibi.com | udp |
| US | 8.8.8.8:53 | rpphttiihibi.net | udp |
| US | 216.218.185.162:80 | rpphttiihibi.net | tcp |
| US | 8.8.8.8:53 | psytuypcxnfn.com | udp |
| US | 8.8.8.8:53 | psytuypcxnfn.net | udp |
| US | 8.8.8.8:53 | psytuypcxnfn.info | udp |
| US | 216.218.185.162:80 | psytuypcxnfn.info | tcp |
| US | 8.8.8.8:53 | hhfvyeheuhdd.com | udp |
| US | 8.8.8.8:53 | hhfvyeheuhdd.net | udp |
| US | 8.8.8.8:53 | hhfvyeheuhdd.info | udp |
| US | 216.218.185.162:80 | hhfvyeheuhdd.info | tcp |
| US | 8.8.8.8:53 | qencohigpqrs.com | udp |
| US | 8.8.8.8:53 | qencohigpqrs.net | udp |
| US | 8.8.8.8:53 | qencohigpqrs.info | udp |
| US | 216.218.185.162:80 | qencohigpqrs.info | tcp |
| US | 8.8.8.8:53 | siismewxinwx.com | udp |
| US | 216.218.185.162:80 | siismewxinwx.com | tcp |
| US | 8.8.8.8:53 | qwgsrbnxhbux.com | udp |
| US | 8.8.8.8:53 | qwgsrbnxhbux.net | udp |
| US | 8.8.8.8:53 | qwgsrbnxhbux.info | udp |
| US | 216.218.185.162:80 | qwgsrbnxhbux.info | tcp |
| US | 8.8.8.8:53 | dcsgnjchistd.com | udp |
| US | 216.218.185.162:80 | dcsgnjchistd.com | tcp |
| US | 8.8.8.8:53 | qtgdehgogvgd.com | udp |
| US | 8.8.8.8:53 | qtgdehgogvgd.net | udp |
| US | 8.8.8.8:53 | qtgdehgogvgd.info | udp |
| US | 216.218.185.162:80 | qtgdehgogvgd.info | tcp |
| US | 8.8.8.8:53 | jiemteuyrcgg.com | udp |
| US | 8.8.8.8:53 | jiemteuyrcgg.net | udp |
| US | 8.8.8.8:53 | jiemteuyrcgg.info | udp |
| US | 216.218.185.162:80 | jiemteuyrcgg.info | tcp |
| US | 8.8.8.8:53 | pockfcivnjji.com | udp |
| US | 8.8.8.8:53 | pockfcivnjji.net | udp |
| US | 8.8.8.8:53 | pockfcivnjji.info | udp |
| US | 216.218.185.162:80 | pockfcivnjji.info | tcp |
| US | 8.8.8.8:53 | pyllbbfdpsrb.com | udp |
| US | 8.8.8.8:53 | pyllbbfdpsrb.net | udp |
| US | 216.218.185.162:80 | pyllbbfdpsrb.net | tcp |
| US | 8.8.8.8:53 | cdpxrbrjibst.com | udp |
| US | 8.8.8.8:53 | cdpxrbrjibst.net | udp |
| US | 8.8.8.8:53 | cdpxrbrjibst.info | udp |
| US | 216.218.185.162:80 | cdpxrbrjibst.info | tcp |
| US | 8.8.8.8:53 | vosrwfifqdll.com | udp |
| US | 8.8.8.8:53 | vosrwfifqdll.net | udp |
| US | 8.8.8.8:53 | vosrwfifqdll.info | udp |
| US | 216.218.185.162:80 | vosrwfifqdll.info | tcp |
| US | 8.8.8.8:53 | xiyjrlovqrsp.com | udp |
| US | 8.8.8.8:53 | xiyjrlovqrsp.net | udp |
| US | 8.8.8.8:53 | xiyjrlovqrsp.info | udp |
| US | 216.218.185.162:80 | xiyjrlovqrsp.info | tcp |
| US | 8.8.8.8:53 | niyvrjipcyqr.com | udp |
| US | 216.218.185.162:80 | niyvrjipcyqr.com | tcp |
| US | 8.8.8.8:53 | iqeqqebndllg.com | udp |
| US | 8.8.8.8:53 | iqeqqebndllg.net | udp |
| US | 216.218.185.162:80 | iqeqqebndllg.net | tcp |
| US | 8.8.8.8:53 | nkhhdyxdqpde.com | udp |
| US | 8.8.8.8:53 | nkhhdyxdqpde.net | udp |
| US | 8.8.8.8:53 | nkhhdyxdqpde.info | udp |
| US | 216.218.185.162:80 | nkhhdyxdqpde.info | tcp |
| US | 8.8.8.8:53 | whdrktdefwot.com | udp |
| US | 8.8.8.8:53 | whdrktdefwot.net | udp |
| US | 8.8.8.8:53 | whdrktdefwot.info | udp |
| US | 216.218.185.162:80 | whdrktdefwot.info | tcp |
| US | 8.8.8.8:53 | lefktthdnhhx.com | udp |
| US | 8.8.8.8:53 | lefktthdnhhx.net | udp |
| US | 8.8.8.8:53 | lefktthdnhhx.info | udp |
| US | 216.218.185.162:80 | lefktthdnhhx.info | tcp |
Files
memory/2912-0-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2912-1-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2912-2-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/2912-4-0x00000000020B0000-0x0000000002AB0000-memory.dmp
memory/1280-6-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/1176-9-0x0000000002A50000-0x0000000002A57000-memory.dmp
memory/1280-11-0x0000000077A1F000-0x0000000077A21000-memory.dmp
memory/1280-12-0x0000000077A20000-0x0000000077A21000-memory.dmp
memory/1280-8-0x0000000077A1F000-0x0000000077A20000-memory.dmp
memory/1280-7-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/1176-5-0x0000000002A50000-0x0000000002A57000-memory.dmp
memory/1176-3-0x0000000002A50000-0x0000000002A57000-memory.dmp
memory/1176-13-0x0000000077871000-0x0000000077872000-memory.dmp
memory/1280-14-0x0000000000160000-0x0000000000161000-memory.dmp
memory/1280-15-0x0000000000050000-0x0000000000066000-memory.dmp
memory/1280-16-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2912-17-0x0000000000400000-0x0000000000404A00-memory.dmp
memory/2912-18-0x00000000020B0000-0x0000000002AB0000-memory.dmp
memory/1176-26-0x0000000002A60000-0x0000000002A67000-memory.dmp
memory/1292-29-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1164-23-0x0000000002090000-0x0000000002097000-memory.dmp
memory/1092-20-0x0000000000410000-0x0000000000417000-memory.dmp
memory/1092-30-0x0000000000410000-0x0000000000417000-memory.dmp
memory/1092-31-0x0000000077871000-0x0000000077872000-memory.dmp
memory/1164-32-0x0000000002090000-0x0000000002097000-memory.dmp
memory/1176-33-0x0000000002A60000-0x0000000002A67000-memory.dmp
memory/1292-35-0x0000000077871000-0x0000000077872000-memory.dmp
memory/1292-34-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1280-41-0x00000000000E0000-0x00000000000E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 14:28
Reported
2024-04-04 14:31
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\winver.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe | C:\Windows\SysWOW64\winver.exe |
| PID 3044 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe | C:\Windows\SysWOW64\winver.exe |
| PID 3044 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe | C:\Windows\SysWOW64\winver.exe |
| PID 3044 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe | C:\Windows\SysWOW64\winver.exe |
| PID 2172 wrote to memory of 3496 | N/A | C:\Windows\SysWOW64\winver.exe | C:\Windows\Explorer.EXE |
| PID 2172 wrote to memory of 3064 | N/A | C:\Windows\SysWOW64\winver.exe | C:\Windows\system32\sihost.exe |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\babccaf657298d70471771c106155a7d_JaffaCakes118.exe"
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2172 -ip 2172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | ggvruxovlbrm.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3044-0-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3044-1-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3044-2-0x00000000021C0000-0x00000000021C2000-memory.dmp
memory/3044-4-0x0000000002610000-0x0000000003010000-memory.dmp
memory/2172-7-0x0000000077E82000-0x0000000077E83000-memory.dmp
memory/3496-6-0x0000000002570000-0x0000000002577000-memory.dmp
memory/2172-8-0x0000000000E60000-0x0000000000E67000-memory.dmp
memory/3496-9-0x00007FFCC4A2D000-0x00007FFCC4A2E000-memory.dmp
memory/2172-5-0x0000000000E60000-0x0000000000E67000-memory.dmp
memory/3496-3-0x0000000002570000-0x0000000002577000-memory.dmp
memory/3044-11-0x0000000000400000-0x0000000000404A00-memory.dmp
memory/3044-12-0x0000000002610000-0x0000000003010000-memory.dmp
memory/3064-13-0x0000000000CD0000-0x0000000000CD7000-memory.dmp
memory/3064-14-0x0000000000CD0000-0x0000000000CD7000-memory.dmp
memory/2172-15-0x0000000000E60000-0x0000000000E67000-memory.dmp
memory/2172-16-0x0000000000E60000-0x0000000000E67000-memory.dmp