Analysis Overview
SHA256
77ceb258ca4fd30374e6d1d346a065a63ac04d0d6f6323a105faa7b1bdb0ef35
Threat Level: Likely malicious
The file e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:45
Reported
2024-04-06 21:46
Platform
win7-20240319-en
Max time kernel
0s
Max time network
3s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:45
Reported
2024-04-06 21:48
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
155s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3D868FA5\ImagePath = "C:\\Windows\\system32\\3571E338.EXE -3D868FA5" | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\3571E338.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\3571E338.EXE | C:\Windows\SysWOW64\3571E338.EXE | N/A |
| File created | C:\Windows\SysWOW64\623A60D4.DLL | C:\Windows\SysWOW64\3571E338.EXE | N/A |
| File created | C:\Windows\SysWOW64\delme.bat | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\3571E338.EXE | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\3571E338.EXE | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\3571E338.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\3571E338.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\3571E338.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\3571E338.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 432 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 432 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 432 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35a7c9fff095108c27de9e0db1c454f_JaffaCakes118.exe"
C:\Windows\SysWOW64\3571E338.EXE
C:\Windows\SysWOW64\3571E338.EXE -3D868FA5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
Files
memory/432-0-0x0000000000400000-0x000000000041F000-memory.dmp
memory/432-1-0x00FFFFFF00FFFFFF-0x00FFFFFF00FFFFFF-memory.dmp
C:\Windows\SysWOW64\3571E338.EXE
| MD5 | e35a7c9fff095108c27de9e0db1c454f |
| SHA1 | 14c1ab6dff52a583127ba1cafedb1bae83e17d91 |
| SHA256 | 77ceb258ca4fd30374e6d1d346a065a63ac04d0d6f6323a105faa7b1bdb0ef35 |
| SHA512 | 45eb01f6a90d7ab2a55d0e1a8f8e64f726077593c93fb4a1513c421dbe7807a65af71e013968b547fcf9d043447c3cda7c59348618b3768974ea90b3d9e330c3 |
memory/3476-5-0x0000000000640000-0x0000000000641000-memory.dmp
memory/432-9-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Windows\SysWOW64\delme.bat
| MD5 | 10f060666308e01b195c30253af310d6 |
| SHA1 | 687f42899fe3db79a85943990b8ee394c9484dc3 |
| SHA256 | 06c8c49d1c1f3a61bb651cf5106a441c68d45b58030375d34ec1c5fd2918f7f1 |
| SHA512 | d775ddcfde741843e558978dcb42cbe906ee8cbbd44fff4088582af05d7028259dac540b1f1376685032a33cc1cc8ceab6495face9c9fe9f83d955a5552c40bd |
memory/3476-11-0x0000000000400000-0x000000000041F000-memory.dmp