Analysis Overview
SHA256
3f1e7ce12366a4b61969e5386d9631291296981e512abd18022012e01ad7fad6
Threat Level: Shows suspicious behavior
The file be73f08309603418a19939fb29f46ef1_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 17:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 17:33
Reported
2024-04-04 17:36
Platform
win7-20231129-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MPFTRAY = "C:\\Windows\\eaRV0ZNNm.exe" | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\eaRV0ZNNm.exe | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\eaRV0ZNNm.exe | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2912 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2912 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2912 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2912 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1784
Network
| Country | Destination | Domain | Proto |
| AT | 129.27.9.247:6667 | tcp | |
| US | 192.169.204.184:139 | tcp | |
| US | 203.102.11.74:139 | tcp | |
| US | 33.218.224.223:139 | tcp | |
| US | 26.141.181.220:139 | tcp | |
| CA | 153.81.238.11:139 | tcp | |
| CH | 213.55.188.15:139 | tcp | |
| US | 48.181.31.205:139 | tcp | |
| US | 199.28.189.82:139 | tcp | |
| CN | 211.84.152.123:139 | tcp | |
| DK | 2.107.170.197:139 | tcp | |
| CN | 123.76.3.252:139 | tcp | |
| RU | 2.63.2.65:139 | tcp | |
| TH | 212.80.215.10:139 | tcp | |
| US | 9.104.138.38:139 | tcp | |
| CN | 110.182.145.215:139 | tcp | |
| RU | 176.109.39.127:139 | tcp | |
| US | 9.165.96.113:139 | tcp | |
| US | 165.138.131.72:139 | tcp | |
| US | 199.94.163.135:139 | tcp | |
| US | 174.141.241.49:139 | tcp | |
| JP | 60.153.211.125:139 | tcp | |
| CN | 113.87.40.241:139 | tcp | |
| DE | 18.196.239.130:139 | tcp | |
| IT | 80.182.26.28:139 | tcp | |
| CN | 61.164.169.76:139 | tcp | |
| GB | 80.168.49.142:139 | tcp | |
| US | 35.16.12.20:139 | tcp | |
| US | 158.10.148.172:139 | tcp | |
| US | 204.89.81.153:139 | tcp | |
| N/A | 10.127.175.159:139 | tcp | |
| N/A | 10.127.175.159:445 | tcp | |
| US | 9.165.96.113:445 | tcp | |
| JP | 60.153.211.125:445 | tcp | |
| RU | 2.63.2.65:445 | tcp | |
| CN | 113.87.40.241:445 | tcp | |
| CN | 61.164.169.76:445 | tcp | |
| US | 192.169.204.184:445 | tcp | |
| US | 203.102.11.74:445 | tcp | |
| US | 165.138.131.72:445 | tcp | |
| DE | 18.196.239.130:445 | tcp | |
| IT | 80.182.26.28:445 | tcp | |
| US | 26.141.181.220:445 | tcp | |
| US | 204.89.81.153:445 | tcp | |
| US | 199.28.189.82:445 | tcp | |
| DK | 2.107.170.197:445 | tcp | |
| CN | 110.182.145.215:445 | tcp | |
| US | 33.218.224.223:445 | tcp | |
| RU | 176.109.39.127:445 | tcp | |
| US | 48.181.31.205:445 | tcp | |
| US | 199.94.163.135:445 | tcp | |
| US | 158.10.148.172:445 | tcp | |
| US | 174.141.241.49:445 | tcp | |
| GB | 80.168.49.142:445 | tcp | |
| CN | 211.84.152.123:445 | tcp | |
| US | 35.16.12.20:445 | tcp | |
| US | 9.104.138.38:445 | tcp | |
| CN | 123.76.3.252:445 | tcp | |
| CA | 153.81.238.11:445 | tcp | |
| CH | 213.55.188.15:445 | tcp | |
| TH | 212.80.215.10:445 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| IR | 82.99.239.99:139 | tcp | |
| US | 99.193.196.247:139 | tcp | |
| US | 107.50.77.144:139 | tcp | |
| PK | 103.159.75.147:139 | tcp | |
| JP | 118.153.25.150:139 | tcp | |
| JP | 160.24.144.140:139 | tcp | |
| US | 29.75.208.91:139 | tcp | |
| GB | 84.92.57.236:139 | tcp | |
| DE | 92.75.151.182:139 | tcp | |
| US | 144.106.83.211:139 | tcp | |
| US | 192.169.54.31:139 | tcp | |
| US | 174.44.182.222:139 | tcp | |
| CN | 36.102.144.75:139 | tcp | |
| CN | 219.239.229.203:139 | tcp | |
| KR | 49.163.211.5:139 | tcp | |
| SA | 5.110.60.176:139 | tcp | |
| NL | 185.242.166.104:139 | tcp | |
| BR | 200.237.69.253:139 | tcp | |
| US | 35.226.250.205:139 | tcp | |
| PL | 83.150.237.22:139 | tcp | |
| FR | 82.235.182.239:139 | tcp | |
| FR | 86.202.103.236:139 | tcp | |
| US | 198.209.28.86:139 | tcp | |
| US | 40.242.188.215:139 | tcp | |
| US | 54.176.255.246:139 | tcp | |
| US | 29.195.151.209:139 | tcp | |
| IE | 52.113.119.82:139 | tcp | |
| CN | 58.16.106.197:139 | tcp | |
| GB | 89.250.44.66:139 | tcp | |
| N/A | 10.127.172.39:139 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| US | 107.50.77.144:445 | tcp | |
| N/A | 10.127.172.39:445 | tcp | |
| GB | 84.92.57.236:445 | tcp | |
| KR | 49.163.211.5:445 | tcp | |
| US | 29.75.208.91:445 | tcp | |
| US | 144.106.83.211:445 | tcp | |
| IR | 82.99.239.99:445 | tcp | |
| US | 99.193.196.247:445 | tcp | |
| PK | 103.159.75.147:445 | tcp | |
| JP | 118.153.25.150:445 | tcp | |
| US | 174.44.182.222:445 | tcp | |
| CN | 36.102.144.75:445 | tcp | |
| JP | 160.24.144.140:445 | tcp | |
| DE | 92.75.151.182:445 | tcp | |
| US | 192.169.54.31:445 | tcp | |
| CN | 219.239.229.203:445 | tcp | |
| US | 29.195.151.209:445 | tcp | |
| FR | 82.235.182.239:445 | tcp | |
| US | 35.226.250.205:445 | tcp | |
| SA | 5.110.60.176:445 | tcp | |
| BR | 200.237.69.253:445 | tcp | |
| CN | 58.16.106.197:445 | tcp | |
| US | 54.176.255.246:445 | tcp | |
| PL | 83.150.237.22:445 | tcp | |
| NL | 185.242.166.104:445 | tcp | |
| US | 198.209.28.86:445 | tcp | |
| IE | 52.113.119.82:445 | tcp | |
| FR | 86.202.103.236:445 | tcp | |
| US | 40.242.188.215:445 | tcp | |
| GB | 89.250.44.66:445 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| US | 205.48.255.53:139 | tcp | |
| IE | 217.112.157.228:139 | tcp | |
| US | 9.126.166.102:139 | tcp | |
| JP | 40.99.93.43:139 | tcp | |
| N/A | 10.127.56.226:139 | tcp | |
| US | 130.80.17.120:139 | tcp | |
| FR | 88.143.25.1:139 | tcp | |
| IT | 2.112.128.178:139 | tcp | |
| CN | 182.104.235.32:139 | tcp | |
| US | 70.120.78.189:139 | tcp | |
| DE | 31.3.2.85:139 | tcp | |
| US | 172.120.146.135:139 | tcp | |
| KR | 180.133.187.156:139 | tcp | |
| US | 192.169.169.39:139 | tcp | |
| KR | 58.233.178.136:139 | tcp | |
| DE | 217.49.26.130:139 | tcp | |
| PL | 217.153.210.238:139 | tcp | |
| US | 67.163.175.83:139 | tcp | |
| DK | 77.33.187.167:139 | tcp | |
| US | 4.96.106.140:139 | tcp | |
| US | 19.252.92.52:139 | tcp | |
| US | 4.198.189.164:139 | tcp | |
| US | 26.66.99.196:139 | tcp | |
| US | 71.228.154.66:139 | tcp | |
| SA | 100.248.231.252:139 | tcp | |
| CN | 121.8.88.122:139 | tcp | |
| LT | 78.59.67.166:139 | tcp | |
| IN | 43.231.252.15:139 | tcp | |
| IT | 151.91.122.190:139 | tcp | |
| IN | 182.65.101.86:139 | tcp | |
| IT | 2.112.128.178:445 | tcp | |
| GB | 161.17.162.70:139 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| N/A | 10.127.56.226:445 | tcp | |
| CN | 182.104.235.32:445 | tcp | |
| US | 9.126.166.102:445 | tcp | |
| DE | 217.49.26.130:445 | tcp | |
| KR | 180.133.187.156:445 | tcp | |
| US | 205.48.255.53:445 | tcp | |
| FR | 88.143.25.1:445 | tcp | |
| JP | 40.99.93.43:445 | tcp | |
| US | 130.80.17.120:445 | tcp | |
| IE | 217.112.157.228:445 | tcp | |
| PL | 217.153.210.238:445 | tcp | |
| DK | 77.33.187.167:445 | tcp | |
| US | 67.163.175.83:445 | tcp | |
| US | 19.252.92.52:445 | tcp | |
| KR | 58.233.178.136:445 | tcp | |
| US | 172.120.146.135:445 | tcp | |
| US | 192.169.169.39:445 | tcp | |
| US | 70.120.78.189:445 | tcp | |
| DE | 31.3.2.85:445 | tcp | |
| US | 4.198.189.164:445 | tcp | |
| US | 4.96.106.140:445 | tcp | |
| LT | 78.59.67.166:445 | tcp | |
| SA | 100.248.231.252:445 | tcp | |
| CN | 121.8.88.122:445 | tcp | |
| IT | 151.91.122.190:445 | tcp | |
| US | 71.228.154.66:445 | tcp | |
| US | 26.66.99.196:445 | tcp | |
| IN | 43.231.252.15:445 | tcp | |
| IN | 182.65.101.86:445 | tcp | |
| GB | 88.107.49.39:139 | tcp | |
| GB | 161.17.162.70:445 | tcp | |
| US | 40.138.213.198:139 | tcp | |
| US | 72.36.4.71:139 | tcp | |
| N/A | 10.127.121.212:139 | tcp | |
| US | 96.38.247.167:139 | tcp | |
| LV | 80.232.130.103:139 | tcp | |
| KR | 106.248.43.173:139 | tcp | |
| US | 98.104.94.188:139 | tcp | |
| US | 98.87.219.115:139 | tcp | |
| NZ | 58.28.85.191:139 | tcp | |
| CH | 83.137.86.106:139 | tcp | |
| N/A | 127.87.199.204:139 | tcp | |
| JP | 121.115.108.92:139 | tcp | |
| JP | 163.130.151.232:139 | tcp | |
| SG | 4.193.75.93:139 | tcp | |
| US | 160.212.216.136:139 | tcp | |
| US | 134.232.146.229:139 | tcp | |
| US | 55.129.7.154:139 | tcp | |
| JP | 219.1.245.165:139 | tcp | |
| US | 192.169.216.23:139 | tcp | |
| US | 107.234.188.136:139 | tcp | |
| US | 130.7.166.22:139 | tcp | |
| BO | 161.56.227.225:139 | tcp | |
| EG | 154.140.236.78:139 | tcp | |
| EG | 105.41.140.79:139 | tcp | |
| JP | 219.117.242.114:139 | tcp | |
| KR | 203.191.134.205:139 | tcp | |
| CA | 142.253.48.4:139 | tcp | |
| CA | 142.230.14.159:139 | tcp | |
| N/A | 127.87.199.204:445 | tcp |
Files
memory/2912-3-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-5-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-7-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-10-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-12-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-13-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2912-15-0x0000000000400000-0x0000000000412000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 17:33
Reported
2024-04-04 17:36
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPUPD = "C:\\Windows\\p3n8KIsYPo77v2.exe" | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\p3n8KIsYPo77v2.exe | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\p3n8KIsYPo77v2.exe | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be73f08309603418a19939fb29f46ef1_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4472 -ip 4472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 2160
Network
| Country | Destination | Domain | Proto |
| AT | 129.27.9.247:6667 | tcp | |
| US | 171.153.101.181:139 | tcp | |
| US | 192.169.14.220:139 | tcp | |
| US | 99.173.160.130:139 | tcp | |
| MX | 148.232.96.115:139 | tcp | |
| DE | 164.24.34.124:139 | tcp | |
| US | 40.242.69.65:139 | tcp | |
| MX | 189.206.124.119:139 | tcp | |
| AR | 179.40.139.93:139 | tcp | |
| US | 69.69.23.135:139 | tcp | |
| GB | 132.244.53.117:139 | tcp | |
| JP | 14.128.90.90:139 | tcp | |
| GB | 90.221.157.239:139 | tcp | |
| MX | 187.185.155.100:139 | tcp | |
| US | 207.181.5.106:139 | tcp | |
| US | 7.149.23.240:139 | tcp | |
| TW | 223.136.193.15:139 | tcp | |
| BR | 177.3.156.128:139 | tcp | |
| CN | 106.24.206.140:139 | tcp | |
| CN | 111.160.4.22:139 | tcp | |
| US | 47.134.35.24:139 | tcp | |
| ID | 39.224.233.163:139 | tcp | |
| JP | 122.221.73.121:139 | tcp | |
| US | 7.120.162.92:139 | tcp | |
| US | 161.11.73.95:139 | tcp | |
| US | 50.73.157.174:139 | tcp | |
| US | 28.80.15.162:139 | tcp | |
| KR | 1.109.32.255:139 | tcp | |
| KR | 116.42.33.36:139 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| N/A | 127.228.20.40:139 | tcp | |
| N/A | 10.127.37.229:139 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| N/A | 127.228.20.40:445 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.20.228.127.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4472-3-0x0000000000400000-0x0000000000412000-memory.dmp