Analysis Overview
SHA256
1d3e4230cdef8bec5ac180f26769dabc26c1f9c5843f43d964a3bf9095bb2a62
Threat Level: Shows suspicious behavior
The file e390fd44e792bb4c79854e865835618f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:41
Reported
2024-04-06 23:44
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Inc = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1524 set thread context of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"
Network
Files
memory/2740-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | e390fd44e792bb4c79854e865835618f |
| SHA1 | 91a44a852ebf8862633f296172facd19d1f4a126 |
| SHA256 | 1d3e4230cdef8bec5ac180f26769dabc26c1f9c5843f43d964a3bf9095bb2a62 |
| SHA512 | 9b1a71dd30a5e178705c4d8f2a8f0c00ae2e948c606bcc3dbda0c6b95315036e3662346720ab04a1d6c33e8f5b2d400603c1b9d43e5380a2600aa7f6e0e8115a |
memory/2740-219-0x0000000000400000-0x000000000040A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:41
Reported
2024-04-06 23:44
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e390fd44e792bb4c79854e865835618f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3368 -ip 3368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 220
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |