Analysis Overview
SHA256
144aa7e6d9b2b100178cec70b9b335b7c1cc5d7407782955b8d643d20b458826
Threat Level: Known bad
The file e61692f8875d714c029cbdceed785b79_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Loads dropped DLL
Deletes itself
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:16
Reported
2024-04-07 23:19
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zrcbcqnw.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\zrcbcqnw.tmp | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrcbcqnw.tmp | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrcbcqnw.nls | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\zrcbcqnw.dll" | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3304 wrote to memory of 4972 | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3304 wrote to memory of 4972 | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3304 wrote to memory of 4972 | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\A41F.tmp.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\zrcbcqnw.nls
| MD5 | ba55add23ad9cfb45b2942270304cbbd |
| SHA1 | 8f2470c34f241351f3a4382a1966ee329ad1d3fb |
| SHA256 | b2c5d94c7f357069d9f7ba337dc574dcd9fc7c0f2e8370bf38e0f6f336822ca2 |
| SHA512 | 31e29581d4d603f9c88e42888b7d31004e2aeea89baf9edd9e02084f2e1a225b4b463c44e69990fae789f05b8a85117c740080c6fe1096964dd71f94e65aba27 |
C:\Windows\SysWOW64\zrcbcqnw.tmp
| MD5 | 416aa21b0a898b8e5086b19959868c69 |
| SHA1 | 51228f66e79c3d889f70f054996c1b729c9cf43d |
| SHA256 | 2b047ddee1ac2880d9ca5e95caf24eb3c628f346c83a4ac0f035771d6858130c |
| SHA512 | c383e318a3a0e4d26145b82e0e3060d66256c0b02e8ca42317d313d41b0a7f4c2f846bd30a40368161e5767c3e846521fc4af7424afa5c8e3577bf486cd4512a |
memory/3304-17-0x0000000010000000-0x0000000010009000-memory.dmp
memory/3304-21-0x0000000010000000-0x0000000010009000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A41F.tmp.bat
| MD5 | ee81dfab52c2d9eb7bfd4c6aac23e2ef |
| SHA1 | dfa24453069b1ba3a47f8a9cfd5862c5a0148576 |
| SHA256 | 698551c013172909b924cef24f711418a0b38c562010a4df49bdd15fca8186f0 |
| SHA512 | 85099c4f9a2d1af4ece7c8521c403a960b5b283f90e75968341671e2676d20d54d0d8179c835b1fe5683793c7fece83cc3ea628c11654385b4656d1c668dbc91 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:16
Reported
2024-04-07 23:19
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pbpkjlcx.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\pbpkjlcx.tmp | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pbpkjlcx.tmp | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pbpkjlcx.nls | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\pbpkjlcx.dll" | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2692 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2692 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2692 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2692 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e61692f8875d714c029cbdceed785b79_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BCCA.tmp.bat
Network
Files
C:\Windows\SysWOW64\pbpkjlcx.nls
| MD5 | ba55add23ad9cfb45b2942270304cbbd |
| SHA1 | 8f2470c34f241351f3a4382a1966ee329ad1d3fb |
| SHA256 | b2c5d94c7f357069d9f7ba337dc574dcd9fc7c0f2e8370bf38e0f6f336822ca2 |
| SHA512 | 31e29581d4d603f9c88e42888b7d31004e2aeea89baf9edd9e02084f2e1a225b4b463c44e69990fae789f05b8a85117c740080c6fe1096964dd71f94e65aba27 |
\Windows\SysWOW64\pbpkjlcx.dll
| MD5 | 91909e334256f1758e52b0364f0f556e |
| SHA1 | e017c7fad9b20a53df9f3bdb37530960aae83a77 |
| SHA256 | ecd44930de3da3ed1b399becc3d3c5f7deb1e73fa2eedf3e0540409f9fa5c34d |
| SHA512 | 44e876be47d1fe618d702f74fda2a0bdcc64711df6c00301455d55f819e3f47e7da81f98a461517b0d68c9a1b58b89d798e083f1e70ac0d854019b579fcc0c12 |
memory/2692-16-0x0000000010000000-0x0000000010009000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCCA.tmp.bat
| MD5 | ee81dfab52c2d9eb7bfd4c6aac23e2ef |
| SHA1 | dfa24453069b1ba3a47f8a9cfd5862c5a0148576 |
| SHA256 | 698551c013172909b924cef24f711418a0b38c562010a4df49bdd15fca8186f0 |
| SHA512 | 85099c4f9a2d1af4ece7c8521c403a960b5b283f90e75968341671e2676d20d54d0d8179c835b1fe5683793c7fece83cc3ea628c11654385b4656d1c668dbc91 |
memory/2692-25-0x0000000010000000-0x0000000010009000-memory.dmp