Analysis Overview
SHA256
1d9c7a3f4db08b60d9995027535db917e83f51c2e4f56d5fc862456a314203f6
Threat Level: Shows suspicious behavior
The file e2c334e419f98a1217912316e0c797a7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Adds Run key to start application
Unsigned PE
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer start page
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 14:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 14:40
Reported
2024-04-06 14:42
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AD Network = "\"C:\\Users\\Admin\\AppData\\Local\\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\\.exe\" ?" | C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe | N/A |
Checks installed software on the system
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971} | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 808 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe |
| PID 808 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe |
| PID 808 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe
>
Network
| Country | Destination | Domain | Proto |
| ES | 91.199.230.27:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/808-0-0x0000000000400000-0x0000000000450000-memory.dmp
memory/808-2-0x0000000000400000-0x0000000000450000-memory.dmp
memory/808-3-0x00000000007A0000-0x00000000008A0000-memory.dmp
C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.exe
| MD5 | ca9a0a2b5f9b7b83a5541bdedfc5a1bc |
| SHA1 | fc93722e8a764312e2f06f41717eaaba80dfb4a0 |
| SHA256 | 3c69b52540ea6cd00df2f5350b4e389de3014c4418d78b73e310aa40924655a8 |
| SHA512 | 1f901383e0e90d68c4464d34564dc034040aaa011e88ec0cb37dce34655a3824bb5613201f84b98e6de1c1440c3285f5ece1d6394396ac4a516d3325e63fe15b |
memory/808-13-0x0000000000400000-0x0000000000450000-memory.dmp
memory/4788-15-0x0000000020300000-0x0000000020313200-memory.dmp
memory/4788-16-0x00000000007F0000-0x00000000008F0000-memory.dmp
C:\Users\Admin\AppData\Local\{22B7F37F-D58A-4007-54E2-A7295E1B888E}\.cfg
| MD5 | 20165a79bcccf30bbef992c7820b2829 |
| SHA1 | 00445acf5c6cc679e76d47b519132cb9485fd445 |
| SHA256 | 7104e9fd4c65275f9e5c9557188f11f56faf9e9e54543a4c8e42284830a3bc6a |
| SHA512 | eb968a59eb2fe7440596e8d57fb64b79b8ae2ddc79f8812200248653165d3b1285ffcd5d0381fd0980fecad9b76ccea613c515dfb1f1e15d850d6e3eacb0052f |
memory/4788-19-0x0000000020300000-0x0000000020313200-memory.dmp
memory/4788-20-0x00000000007F0000-0x00000000008F0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 14:40
Reported
2024-04-06 14:42
Platform
win7-20240221-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Reads user/profile data of web browsers
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971} | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\URL = "http://www.gigabase.ru/search?q={searchTerms}&uin=1000" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}\DisplayName = "Gigabase" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0E67A6B8-A1D0-4f0d-B421-7FED69FCC971}" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.ctel.ru/" | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2c334e419f98a1217912316e0c797a7_JaffaCakes118.exe"
Network
Files
memory/360-0-0x0000000000400000-0x0000000000450000-memory.dmp
memory/360-6-0x0000000000400000-0x0000000000450000-memory.dmp
memory/360-7-0x00000000006D0000-0x00000000007D0000-memory.dmp
memory/360-8-0x0000000000400000-0x0000000000450000-memory.dmp
memory/360-10-0x00000000006D0000-0x00000000007D0000-memory.dmp