Analysis Overview
SHA256
cf79d7fa8b6a8ef362ea9a7fbc5134e8ae8fa2fc675ce366d74a279dec54b8db
Threat Level: Shows suspicious behavior
The file e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:51
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:51
Reported
2024-04-06 21:54
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2636-0-0x00000000021F0000-0x0000000002231000-memory.dmp
memory/2636-1-0x0000000002240000-0x0000000002291000-memory.dmp
memory/2636-2-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2636-3-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2636-5-0x0000000002240000-0x0000000002291000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:51
Reported
2024-04-06 21:54
Platform
win7-20240221-en
Max time kernel
166s
Max time network
169s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\{716CE7C8-8449-AD4E-8B2B-CDD0BB2BEECD} = "C:\\Users\\Admin\\AppData\\Roaming\\Keozg\\iqumf.exe" | C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2992 set thread context of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\cmd.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Privacy | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe
"C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpff8c17aa.bat"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "291121692-802443451-227281910-208957908013849630101267076644-963725818422595924"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 116
Network
| Country | Destination | Domain | Proto |
| US | 99.127.226.43:17423 | udp | |
| AR | 190.30.106.158:23269 | udp | |
| IT | 2.197.52.187:13559 | udp | |
| SK | 95.103.212.37:14979 | udp | |
| GR | 94.68.141.75:12140 | udp | |
| TW | 118.167.244.37:16916 | udp | |
| US | 76.160.18.224:18542 | udp | |
| IT | 87.29.198.169:28564 | udp | |
| AU | 60.240.144.102:20921 | udp |
Files
memory/2992-0-0x0000000000270000-0x00000000002B1000-memory.dmp
memory/2992-1-0x0000000000350000-0x00000000003A1000-memory.dmp
memory/2992-2-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2992-4-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2992-5-0x0000000000400000-0x0000000000441000-memory.dmp
\Users\Admin\AppData\Roaming\Keozg\iqumf.exe
| MD5 | c2f673a201fea35a04c861ce6af8a68c |
| SHA1 | 2d3bb0a13c7daf8770b700bb1df7cec9c88c6be3 |
| SHA256 | 43aef23a8d5c5badce790e2a28efa85e69d74486a8cf5e1d92f070330186812f |
| SHA512 | a29b6984f0739c06e4072921842cf3780ce31056254d748dd44f79640a6fe57c99d9ce9eae625738ce3741f8f798b2f9b1d1e7d80bc55620686334a651772699 |
memory/1948-15-0x0000000000270000-0x00000000002B1000-memory.dmp
memory/1948-17-0x00000000002E0000-0x0000000000331000-memory.dmp
memory/1140-18-0x0000000001F50000-0x0000000001F91000-memory.dmp
memory/1948-19-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1140-21-0x0000000001F50000-0x0000000001F91000-memory.dmp
memory/1140-23-0x0000000001F50000-0x0000000001F91000-memory.dmp
memory/1140-25-0x0000000001F50000-0x0000000001F91000-memory.dmp
memory/1140-27-0x0000000001F50000-0x0000000001F91000-memory.dmp
memory/1240-30-0x0000000001C20000-0x0000000001C61000-memory.dmp
memory/1240-31-0x0000000001C20000-0x0000000001C61000-memory.dmp
memory/1240-32-0x0000000001C20000-0x0000000001C61000-memory.dmp
memory/1240-33-0x0000000001C20000-0x0000000001C61000-memory.dmp
memory/1300-35-0x0000000002AA0000-0x0000000002AE1000-memory.dmp
memory/1300-36-0x0000000002AA0000-0x0000000002AE1000-memory.dmp
memory/1300-37-0x0000000002AA0000-0x0000000002AE1000-memory.dmp
memory/1300-38-0x0000000002AA0000-0x0000000002AE1000-memory.dmp
memory/2992-41-0x0000000000490000-0x00000000004D1000-memory.dmp
memory/2992-42-0x0000000000490000-0x00000000004D1000-memory.dmp
memory/2992-43-0x0000000000490000-0x00000000004D1000-memory.dmp
memory/2992-44-0x0000000000490000-0x00000000004D1000-memory.dmp
memory/2992-40-0x0000000000490000-0x00000000004D1000-memory.dmp
memory/2992-45-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-47-0x0000000000490000-0x00000000004D1000-memory.dmp
memory/2992-49-0x0000000077B40000-0x0000000077B41000-memory.dmp
memory/2992-51-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-48-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-53-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-55-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-57-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-59-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-61-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-63-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-65-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-67-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-69-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-71-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-73-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-75-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-77-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-79-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-81-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2992-139-0x0000000000560000-0x0000000000561000-memory.dmp
C:\Users\Admin\AppData\Roaming\Otko\mubi.ocu
| MD5 | d9ecb4aa1218bbce06bafa2800cc1716 |
| SHA1 | 9f607eca96b4239a356ae3829fb108211e54f416 |
| SHA256 | fb383ff8b84aac58763f39f164c1cffdab1700587738e3523abc43003b162c20 |
| SHA512 | 9ec0ea8021e0eb9c56d8453512387fa656ad6f304fdd4f55d3722667f336940d1546b11191716c59907131e3e69de9abd68cb5bf5712b451a74a8e28975fbd6c |
memory/2992-162-0x0000000000350000-0x00000000003A1000-memory.dmp
memory/2992-163-0x0000000000270000-0x00000000002B1000-memory.dmp
memory/2992-164-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2992-165-0x0000000000490000-0x00000000004D1000-memory.dmp
memory/1908-180-0x0000000077B40000-0x0000000077B41000-memory.dmp
memory/1908-182-0x0000000077B40000-0x0000000077B41000-memory.dmp
memory/1908-178-0x0000000000B90000-0x0000000000BD1000-memory.dmp
memory/1908-274-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/1948-277-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1908-279-0x0000000000B90000-0x0000000000BD1000-memory.dmp