Analysis Overview
SHA256
862660a0daaad5a98c7a2339a11c36e493895c759495c7de77943b4eaca7bd03
Threat Level: Known bad
The file e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:51
Reported
2024-04-06 21:54
Platform
win7-20240221-en
Max time kernel
131s
Max time network
144s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\klass.exe = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe:*:Enabled:Windows Update" | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe" | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2724 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\klass.exe |
| PID 2724 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\klass.exe |
| PID 2724 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\klass.exe |
| PID 2724 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\klass.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe"
C:\Program Files (x86)\Common Files\System\klass.exe
"C:\Program Files (x86)\Common Files\System\klass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | irc.rootattack.com | udp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 8.8.8.8:53 | irc.rootattack.com | udp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
Files
memory/2724-0-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Program Files (x86)\Common Files\System\klass.exe
| MD5 | e35d9f2e62b6b44088ee17fa229d1517 |
| SHA1 | 805701b71187565c0a9a73fcbf892ab1ff0049e4 |
| SHA256 | 862660a0daaad5a98c7a2339a11c36e493895c759495c7de77943b4eaca7bd03 |
| SHA512 | 296edb3b164259344585fa55434847268fa86c9fc02fec09ef1a4ea9fe058847242eca38820e627785a933c6b68bbe3ada5ee75e9be76dba95e40aafb3e27ae6 |
memory/2724-9-0x00000000005B0000-0x00000000005CD000-memory.dmp
memory/2724-12-0x0000000000400000-0x000000000041D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:51
Reported
2024-04-06 21:54
Platform
win10v2004-20240226-en
Max time kernel
131s
Max time network
150s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\klass.exe = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe:*:Enabled:Windows Update" | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Program Files (x86)\\Common Files\\System\\klass.exe" | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\klass.exe | C:\Program Files (x86)\Common Files\System\klass.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3388 wrote to memory of 516 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\klass.exe |
| PID 3388 wrote to memory of 516 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\klass.exe |
| PID 3388 wrote to memory of 516 | N/A | C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe | C:\Program Files (x86)\Common Files\System\klass.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35d9f2e62b6b44088ee17fa229d1517_JaffaCakes118.exe"
C:\Program Files (x86)\Common Files\System\klass.exe
"C:\Program Files (x86)\Common Files\System\klass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | irc.rootattack.com | udp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irc.rootattack.com | udp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
| US | 44.221.239.236:6667 | irc.rootattack.com | tcp |
Files
memory/3388-0-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Program Files (x86)\Common Files\System\klass.exe
| MD5 | e35d9f2e62b6b44088ee17fa229d1517 |
| SHA1 | 805701b71187565c0a9a73fcbf892ab1ff0049e4 |
| SHA256 | 862660a0daaad5a98c7a2339a11c36e493895c759495c7de77943b4eaca7bd03 |
| SHA512 | 296edb3b164259344585fa55434847268fa86c9fc02fec09ef1a4ea9fe058847242eca38820e627785a933c6b68bbe3ada5ee75e9be76dba95e40aafb3e27ae6 |
memory/3388-6-0x0000000000400000-0x000000000041D000-memory.dmp