Analysis Overview
SHA256
c6de8054497b05b86feed7026c3b656b234f76e0d41841c25170c2124bd42f28
Threat Level: Shows suspicious behavior
The file e3674b36739713a51de142c301de6b27_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Program crash
Unsigned PE
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:13
Reported
2024-04-06 22:15
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 416
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:13
Reported
2024-04-06 22:15
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Amoqya.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\DD1APJEZAI = "C:\\Windows\\Amoqya.exe" | C:\Windows\Amoqya.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Amoqya.exe | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Amoqya.exe | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | N/A |
| File created | C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Amoqya.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Amoqya.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | C:\Windows\Amoqya.exe |
| PID 2732 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | C:\Windows\Amoqya.exe |
| PID 2732 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | C:\Windows\Amoqya.exe |
| PID 2732 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe | C:\Windows\Amoqya.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3674b36739713a51de142c301de6b27_JaffaCakes118.exe"
C:\Windows\Amoqya.exe
C:\Windows\Amoqya.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | clicksor.com | udp |
| US | 8.8.8.8:53 | walmart.com | udp |
Files
memory/2732-1-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2732-0-0x0000000000230000-0x0000000000246000-memory.dmp
C:\Windows\Amoqya.exe
| MD5 | e3674b36739713a51de142c301de6b27 |
| SHA1 | 7afe5512bba38caef89d2b1dea7cfd627f81c87a |
| SHA256 | c6de8054497b05b86feed7026c3b656b234f76e0d41841c25170c2124bd42f28 |
| SHA512 | d16e614d2fde4cdc120dd70bcc35363ebb14aac177aeaeaa825814a775c96045c18b1c6ff08f378bd941ce976b370b3aac132a4254b1ed20639e3023272735f9 |
memory/2520-10-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
| MD5 | ddb0ebb5e402faf9b6055fb99b245d43 |
| SHA1 | e7e67dd94b12133ae558a46a45f1055d3c6d5187 |
| SHA256 | c329bd4c2ef6ed3f6b85fee10fc7403e4242e8e274a3f0fee928c58362574af4 |
| SHA512 | 6b1245341666b81c8f59edf9207e7f6aec4a94535d25d21d5856839c02b127a37ef38b0ad93111284d3486bd90609c261f054cae9f52be58d8c8e74f1b18fd69 |
memory/2732-7319-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2520-19217-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2732-24648-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2520-36312-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2520-43292-0x0000000000400000-0x000000000043C000-memory.dmp