Analysis Overview
SHA256
64bf0308826462a07c2653d89ede6bbd9a558769936ab1a2040ff92af84abd9d
Threat Level: Shows suspicious behavior
The file e570bc497d2fca506c6d346c595b623a_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Maps connected drives based on registry
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 17:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 17:11
Reported
2024-04-07 17:14
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Apki\newe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idniibseme = "C:\\Users\\Admin\\AppData\\Roaming\\Apki\\newe.exe" | C:\Users\Admin\AppData\Roaming\Apki\newe.exe | N/A |
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\Apki\newe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\Apki\newe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2028 set thread context of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Privacy | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1A8B1F2B-00000001.eml:OECustomProperty | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Apki\newe.exe
"C:\Users\Admin\AppData\Roaming\Apki\newe.exe"
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp00253d8b.bat"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| NL | 23.63.101.170:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | bemixven15.in | udp |
| US | 8.8.8.8:53 | bemixven55.in | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | 74d7f82decf891fc43ea21537e0c9cdf |
| SHA1 | 43c9f739ead8750f881546b43b0997be674cca4b |
| SHA256 | 669e52fd81a93fcdb42de29b0173c108943be085eb82fca9585b6fbcc0001295 |
| SHA512 | 4300d2b434205edd385d33c95c0733f16722ddb4b8ce3aa303e3a06989195de161838555f2df610b08d84ab58ea1a2c534d7bf69f19e2414104c594d54ec08fd |
C:\Users\Admin\AppData\Roaming\Aski\ywokg.ife
| MD5 | e4bf2d5e06d96d8ce3b3c4f0e41c9c5f |
| SHA1 | c5d51792ccfaa945024448e7f0004e9b8192d399 |
| SHA256 | af3fa7df269ea1588a6200e76e50a487151f14569109919ddc5e61ad58673994 |
| SHA512 | dcc3555d34315603ec4ccbaf88e71254a552ba4cbc8d0619926d358bacec7c5152d085049086a9aae24ad15de0324fb4cb22932c0a798c6464307334f6eedd33 |
memory/2028-243-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2028-79-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-77-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2028-75-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-73-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2028-71-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-69-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2028-67-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-65-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2028-63-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-61-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2028-60-0x0000000077B10000-0x0000000077B11000-memory.dmp
memory/2028-58-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-57-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2028-54-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-52-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-53-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-51-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2028-50-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2356-48-0x0000000000390000-0x00000000003C9000-memory.dmp
memory/2356-46-0x0000000000390000-0x00000000003C9000-memory.dmp
memory/2356-47-0x0000000000390000-0x00000000003C9000-memory.dmp
memory/2356-45-0x0000000000390000-0x00000000003C9000-memory.dmp
memory/1232-43-0x0000000002A60000-0x0000000002A99000-memory.dmp
memory/1232-42-0x0000000002A60000-0x0000000002A99000-memory.dmp
memory/1232-41-0x0000000002A60000-0x0000000002A99000-memory.dmp
memory/1232-40-0x0000000002A60000-0x0000000002A99000-memory.dmp
memory/1160-38-0x0000000000430000-0x0000000000469000-memory.dmp
memory/1160-37-0x0000000000430000-0x0000000000469000-memory.dmp
memory/1160-36-0x0000000000430000-0x0000000000469000-memory.dmp
memory/1160-35-0x0000000000430000-0x0000000000469000-memory.dmp
memory/1096-31-0x0000000001F50000-0x0000000001F89000-memory.dmp
memory/1096-29-0x0000000001F50000-0x0000000001F89000-memory.dmp
memory/1096-27-0x0000000001F50000-0x0000000001F89000-memory.dmp
memory/1096-25-0x0000000001F50000-0x0000000001F89000-memory.dmp
memory/1096-23-0x0000000001F50000-0x0000000001F89000-memory.dmp
C:\Users\Admin\AppData\Roaming\Apki\newe.exe
| MD5 | 3c15f17b03f9ba1609868ef26ae4f735 |
| SHA1 | d57447615857b186b943c20fcbecf1bd00d0c723 |
| SHA256 | c0a57b6268368cf00e548389241af4fe8e12f9b0d3735f10af3c2320c8821c78 |
| SHA512 | 830d148637e343788936e271bc9b67d4e0409768f021189493526071bfbe2cfc76dc1b7c730ee763d38c4a55491c9bc3423f3d2e6916114e6c04552f0b3e4e3a |
memory/2696-19-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2696-17-0x0000000000220000-0x0000000000241000-memory.dmp
memory/2028-6-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2028-4-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2028-3-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2028-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2028-0-0x0000000000250000-0x0000000000271000-memory.dmp
memory/2028-346-0x0000000000250000-0x0000000000271000-memory.dmp
memory/2028-347-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2028-348-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2264-349-0x0000000000050000-0x0000000000089000-memory.dmp
memory/2264-352-0x0000000077B10000-0x0000000077B11000-memory.dmp
memory/2264-354-0x0000000077B10000-0x0000000077B11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp00253d8b.bat
| MD5 | 8054644535b0ad0b383d8d897e8de1d2 |
| SHA1 | 9543637c4042aff7d1ff70c9280fcb03abc3b5fe |
| SHA256 | 59484fda3a5dfbd790f3b9acae6ca3de8e6e07c2403a63248d522010fa1fea4f |
| SHA512 | 5b6e8865f7fd2d28b25d8878289a7dfff93e3b577676877a13c22bbf92522f3c43d962a603667df2bc0647b8eecd021156329a8f6df9271507d40a1c3fe93045 |
memory/2264-551-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2264-550-0x0000000000050000-0x0000000000089000-memory.dmp
memory/2696-552-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 17:11
Reported
2024-04-07 17:14
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e570bc497d2fca506c6d346c595b623a_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/1056-0-0x00000000021C0000-0x00000000021E1000-memory.dmp
memory/1056-1-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1056-2-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1056-3-0x00000000021C0000-0x00000000021E1000-memory.dmp