Analysis Overview
SHA256
dc93c74295fb2a132a63ddce3037b89bb198e258869940e4a4eb4478ad5efaf5
Threat Level: Shows suspicious behavior
The file e39679a14296986acb137c0e5ea39539_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:55
Reported
2024-04-06 23:57
Platform
win7-20240221-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wsj.com | udp |
| US | 8.8.8.8:53 | fastclick.com | udp |
| US | 8.8.8.8:53 | nifty.com | udp |
| US | 8.8.8.8:53 | qqplot.com | udp |
| US | 8.8.8.8:53 | lacvictoria.com | udp |
| US | 8.8.8.8:53 | paulo-fg.com | udp |
| US | 8.8.8.8:53 | bonreligion.com | udp |
Files
memory/2088-0-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2088-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2088-2-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2088-33649-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2088-41254-0x00000000726A0000-0x0000000073702000-memory.dmp
memory/2088-41255-0x00000000726A0000-0x0000000073702000-memory.dmp
memory/2088-41258-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2088-41259-0x0000000001EC0000-0x0000000001EC4000-memory.dmp
memory/2088-41260-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
memory/2088-41261-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2088-41262-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2088-41263-0x0000000000400000-0x000000000043B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:55
Reported
2024-04-06 23:57
Platform
win10v2004-20240226-en
Max time kernel
18s
Max time network
23s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e39679a14296986acb137c0e5ea39539_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wsj.com | udp |
| US | 8.8.8.8:53 | fastclick.com | udp |
| US | 8.8.8.8:53 | nifty.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
memory/1124-0-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1124-1-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/1124-2-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1124-10834-0x0000000000400000-0x000000000043B000-memory.dmp