Analysis Overview
SHA256
04d33f6a986266cd84e4a2dc479fddaee035d139b0773eb3be36ff2740b781e5
Threat Level: Shows suspicious behavior
The file e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads local data of messenger clients
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 17:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 17:44
Reported
2024-04-07 17:47
Platform
win7-20240215-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\win29.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\runAPI35 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI82.exe\"" | C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1280 set thread context of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\win29.exe |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\win29.exe
C:\Users\Admin\AppData\Local\Temp\win29.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Network
Files
memory/1280-0-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/1280-1-0x00000000007F0000-0x0000000000830000-memory.dmp
memory/1280-2-0x0000000074220000-0x00000000747CB000-memory.dmp
\Users\Admin\AppData\Local\Temp\win29.exe
| MD5 | 5e5ecae8b08152c885904cde71c50dad |
| SHA1 | 727f24d102ab29be690c783ddc149b3a39430fb6 |
| SHA256 | b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541 |
| SHA512 | dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea |
memory/3028-12-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3028-10-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3028-14-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3028-18-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3028-16-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3028-22-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3028-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3028-25-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3028-27-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1280-29-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/3028-31-0x0000000001F10000-0x0000000001F12000-memory.dmp
memory/2576-32-0x0000000000160000-0x0000000000162000-memory.dmp
memory/2576-33-0x0000000000390000-0x0000000000391000-memory.dmp
memory/3028-36-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Roaming\hk_20080211_skiboat2.jpg
| MD5 | 94ead5328697a594fc358b33fd0dc87a |
| SHA1 | 47459c7be4e25196b260d87189dc8fd45f75f96d |
| SHA256 | d075cff3768d020b436417a0567f4e1e6c4e872c82b3242d16389c0c1e4ae103 |
| SHA512 | d69dbeadc209089c6049d9e21992f52db0dc6f513a316df0267acf6a46345b5924296ecc27502a471dc8a289a11fb2a5f72e2ceacae718427a8fab0d5f6950b2 |
memory/2576-39-0x0000000000390000-0x0000000000391000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 17:44
Reported
2024-04-07 17:47
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\win29.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runAPI35 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI82.exe\"" | C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2300 set thread context of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\win29.exe |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e57ffc0b3f39cb07f9e2e0e7069eaba2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\win29.exe
C:\Users\Admin\AppData\Local\Temp\win29.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/2300-0-0x0000000075050000-0x0000000075601000-memory.dmp
memory/2300-1-0x00000000015E0000-0x00000000015F0000-memory.dmp
memory/2300-2-0x0000000075050000-0x0000000075601000-memory.dmp
memory/1624-5-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\win29.exe
| MD5 | 5e5ecae8b08152c885904cde71c50dad |
| SHA1 | 727f24d102ab29be690c783ddc149b3a39430fb6 |
| SHA256 | b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541 |
| SHA512 | dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea |
memory/1624-10-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1624-13-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2300-14-0x0000000075050000-0x0000000075601000-memory.dmp
memory/1624-17-0x0000000000400000-0x000000000045D000-memory.dmp