Analysis Overview
SHA256
d79fac50d787b497de862322274d0541eb3095ec92fb66ae683ccd5360246869
Threat Level: Shows suspicious behavior
The file be84124151ed648b1b236e244142a92f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 17:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 17:37
Reported
2024-04-04 17:40
Platform
win7-20240221-en
Max time kernel
160s
Max time network
169s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | htl5656556.u1.luyouxia.net | udp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
Files
memory/2984-0-0x0000000000400000-0x0000000000549000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 15287e4b78ab920ea0081591f8106615 |
| SHA1 | a1628bd63201e179f636af77f3d58c9a1a4a97e2 |
| SHA256 | c4ea5abf1d82828f77819dfa7dc9b728206518cecc387f279b10bef2f4e10c3f |
| SHA512 | 6211fdb6eeb7dbd342e44f40ebfd73b415574ae76354d498887b44473c55b07656feb5709cee320a8a5f22f62931f4518136000e12065e0958d6eb46dae4f1a7 |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | f42eb169ae6fc4797d2bd10b409a4686 |
| SHA1 | 7d4282523a4d1ec1ea02c0dc13124cb60bff2d9a |
| SHA256 | 5ec91e54b1beb2161a81c58e89ff56a90ff497b3efefa4d99cf930637bbd569a |
| SHA512 | 1ebfb4dd11371dc9e3affb731fe6ea51affa096c1a12c163555e5b18c32cf6ca545258c1a66d8421e6e44a066f541ec04fc6da85c3d9918945eb5a71e8b3fb95 |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 2004bcee923b0e0222f4cab87c2c2a3d |
| SHA1 | 0a3c122b7cfe403403d913ecc1b328480b1bfc2a |
| SHA256 | f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77 |
| SHA512 | cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 17:37
Reported
2024-04-04 17:40
Platform
win10v2004-20240226-en
Max time kernel
101s
Max time network
180s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4088 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4088 wrote to memory of 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4088 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4088 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4088 wrote to memory of 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4088 wrote to memory of 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | htl5656556.u1.luyouxia.net | udp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.34.16.2.in-addr.arpa | udp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.110.86.104.in-addr.arpa | udp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
| CN | 123.99.198.201:53071 | htl5656556.u1.luyouxia.net | tcp |
Files
memory/4088-0-0x0000000000400000-0x0000000000549000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | d01768dfd2f1658ea9f05dc0e739018f |
| SHA1 | 6d999e9efa3dad8c8ddeb24c2a7d1d2437225dec |
| SHA256 | c742b4c5c26ff2d763ff735edbfb53899ce7ade94e5c83b9f3f629e970d40e2f |
| SHA512 | 63630af5c55943464bb9cb2138089d30e35f7f5d21b3c50f79e40a754b663680d9c6c4d8cdf03b38063e8be2fcc63958597fd583d0c49c16842cc0f7e949ca01 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | d71a76ba49f7d1f5fc3f3bd24522682a |
| SHA1 | f53cf6b177fe1387f13b97390f2dbcf4fd485913 |
| SHA256 | c944e6564aef76c670b4a8800b3a8738e6de6d75828a995ab9b060bbdcaba0ae |
| SHA512 | 5beb584aa143fe4f3a241eba4adba7efd5c45023aaa13322514045cdcbcf0d08d978c9eb4f4064acb1994018181a3eb655fb7dcbbec9c6e42215e74b43b36d81 |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 2004bcee923b0e0222f4cab87c2c2a3d |
| SHA1 | 0a3c122b7cfe403403d913ecc1b328480b1bfc2a |
| SHA256 | f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77 |
| SHA512 | cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445 |