Analysis Overview
SHA256
e8fa4a27893fe87780a6c87cccf906ea2f8ff5140b3441f86e65539f9312607d
Threat Level: Likely malicious
The file e5973bb514b3119aa40d33024416053e_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:34
Reported
2024-04-07 18:37
Platform
win7-20240221-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Modifies AppInit DLL entries
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ziflokk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ziflokk.exe | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ziflokk.exe | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ziflok.dll | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe"
C:\Windows\SysWOW64\ziflokk.exe
C:\Windows\system32\ziflokk.exe ˜‰
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat
Network
Files
memory/1928-0-0x0000000000400000-0x000000000040E000-memory.dmp
\Windows\SysWOW64\ziflokk.exe
| MD5 | e5973bb514b3119aa40d33024416053e |
| SHA1 | 60145756546d5f3232479b08c4f40b4ff75d899d |
| SHA256 | e8fa4a27893fe87780a6c87cccf906ea2f8ff5140b3441f86e65539f9312607d |
| SHA512 | 8481550b0a23a241815652aae11e0c1a291259220bca51a02a44effef3ae868ecc38afc7c48a9f8fd298ff6c307012b92382e7fb5c9ed6b71ec0c44543cff6fe |
memory/1928-4-0x0000000000030000-0x000000000003E000-memory.dmp
memory/1928-11-0x0000000000030000-0x000000000003E000-memory.dmp
memory/2172-12-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat
| MD5 | 3af4dc3af98fc1c5579a7a9092b18e61 |
| SHA1 | dcf41f10ea1da5a537eff2210012de7b9b083018 |
| SHA256 | 522eba7f45015c6e81dcfb355376a2ae103efbddf8a598aaa5e66f11ccc30dcc |
| SHA512 | ffc7fa6794c593dd29e7102a230e375b823947c3e9f31649c540ec61b4862a2977cdd8fcd4472aa4cdec0ed62cc5506e6067b7ff7cd0931f764f116b4df7bb82 |
memory/1928-20-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:34
Reported
2024-04-07 18:37
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
97s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ziflokk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ziflok.dll | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ziflokk.exe | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ziflokk.exe | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5032 wrote to memory of 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | C:\Windows\SysWOW64\ziflokk.exe |
| PID 5032 wrote to memory of 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | C:\Windows\SysWOW64\ziflokk.exe |
| PID 5032 wrote to memory of 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | C:\Windows\SysWOW64\ziflokk.exe |
| PID 5032 wrote to memory of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5032 wrote to memory of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5032 wrote to memory of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe"
C:\Windows\SysWOW64\ziflokk.exe
C:\Windows\system32\ziflokk.exe ˜‰
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/5032-0-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Windows\SysWOW64\ziflokk.exe
| MD5 | e5973bb514b3119aa40d33024416053e |
| SHA1 | 60145756546d5f3232479b08c4f40b4ff75d899d |
| SHA256 | e8fa4a27893fe87780a6c87cccf906ea2f8ff5140b3441f86e65539f9312607d |
| SHA512 | 8481550b0a23a241815652aae11e0c1a291259220bca51a02a44effef3ae868ecc38afc7c48a9f8fd298ff6c307012b92382e7fb5c9ed6b71ec0c44543cff6fe |
memory/5032-8-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e5973bb514b3119aa40d33024416053e_JaffaCakes118.exe.bat
| MD5 | 3af4dc3af98fc1c5579a7a9092b18e61 |
| SHA1 | dcf41f10ea1da5a537eff2210012de7b9b083018 |
| SHA256 | 522eba7f45015c6e81dcfb355376a2ae103efbddf8a598aaa5e66f11ccc30dcc |
| SHA512 | ffc7fa6794c593dd29e7102a230e375b823947c3e9f31649c540ec61b4862a2977cdd8fcd4472aa4cdec0ed62cc5506e6067b7ff7cd0931f764f116b4df7bb82 |
memory/4136-10-0x0000000000400000-0x000000000040E000-memory.dmp