Analysis Overview
SHA256
a50416305aa0ad6199e59280817d63f378c351080affc7fad7fdefd693cfc484
Threat Level: Shows suspicious behavior
The file e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Adds Run key to start application
Checks installed software on the system
Program crash
Unsigned PE
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:38
Reported
2024-04-06 21:40
Platform
win7-20240221-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AmdAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe | N/A |
Checks installed software on the system
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49194 | tcp | |
| KR | 218.152.233.35:80 | tcp | |
| KR | 112.186.139.9:80 | tcp | |
| N/A | 127.0.0.1:49197 | tcp | |
| US | 65.60.228.36:80 | tcp | |
| N/A | 127.0.0.1:49201 | tcp | |
| N/A | 127.0.0.1:49206 | tcp | |
| IN | 27.4.153.0:80 | tcp | |
| N/A | 127.0.0.1:49211 | tcp | |
| US | 71.195.179.115:80 | tcp | |
| N/A | 127.0.0.1:49214 | tcp | |
| IN | 14.140.54.214:80 | tcp | |
| IN | 117.224.103.46:80 | tcp | |
| N/A | 127.0.0.1:49218 | tcp | |
| N/A | 127.0.0.1:49222 | tcp | |
| KR | 112.214.30.183:80 | tcp | |
| N/A | 127.0.0.1:49226 | tcp | |
| HK | 180.215.149.33:80 | tcp | |
| N/A | 127.0.0.1:49230 | tcp | |
| KR | 218.148.117.50:80 | tcp | |
| KR | 119.201.161.13:80 | tcp | |
| N/A | 127.0.0.1:49234 | tcp | |
| N/A | 127.0.0.1:49239 | tcp | |
| KR | 175.206.2.33:80 | tcp | |
| N/A | 127.0.0.1:49242 | tcp | |
| US | 76.108.4.23:80 | tcp | |
| N/A | 127.0.0.1:49246 | tcp | |
| KZ | 95.57.73.56:80 | tcp | |
| N/A | 127.0.0.1:49250 | tcp | |
| US | 71.72.200.32:80 | tcp |
Files
memory/1396-0-0x0000000000400000-0x000000000063D000-memory.dmp
memory/1396-1-0x0000000000350000-0x0000000000351000-memory.dmp
memory/1396-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1396-3-0x0000000000400000-0x000000000063D000-memory.dmp
memory/1396-4-0x0000000000400000-0x000000000063D000-memory.dmp
memory/1396-5-0x0000000000400000-0x000000000063D000-memory.dmp
memory/1396-6-0x0000000000400000-0x000000000063D000-memory.dmp
memory/1396-8-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:38
Reported
2024-04-06 21:40
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e357b89c9fd5c6fc224d3f96a3c435c6_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 376
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |