Analysis Overview
SHA256
7f9831cc1e22a4c0698af3a506d4d4009eff5c9dd30bbe3f2de411d114b96c91
Threat Level: Shows suspicious behavior
The file e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Adds Run key to start application
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Program crash
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:46
Reported
2024-04-07 18:49
Platform
win7-20240221-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1712 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1712 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1712 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1712 wrote to memory of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 116
Network
Files
memory/1712-0-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1712-1-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1712-2-0x0000000000220000-0x0000000000250000-memory.dmp
memory/1712-3-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:46
Reported
2024-04-07 18:49
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lphc11pj0eavs = "C:\\Windows\\system32\\lphc11pj0eavs.exe" | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3516 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3516 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe | C:\Windows\SysWOW64\WScript.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e59c247a08eabc22eeefc65db64f76e9_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.ttA4FA.tmp.vbs"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | fe2.update.microsoft.com | udp |
| US | 40.78.107.252:80 | fe2.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.107.78.40.in-addr.arpa | udp |
| US | 40.78.107.252:80 | fe2.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 40.78.107.252:80 | fe2.update.microsoft.com | tcp |
| US | 40.78.107.252:80 | fe2.update.microsoft.com | tcp |
| US | 40.78.107.252:80 | fe2.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | av-xp-08.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/3516-0-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3516-1-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3516-2-0x0000000002010000-0x0000000002040000-memory.dmp
memory/3516-3-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.ttA4FA.tmp.vbs
| MD5 | 9df700c8f6fd43fac0a89aef04214bbd |
| SHA1 | 6ec8bc6d4041ccf19757757c0da6592469f71c57 |
| SHA256 | 9ab6f2c3cc3965cd05f81d859bdfac3b25a5e70178f61ea677d31987c4e142fd |
| SHA512 | 8bbcd322f3998c0f7d81884737ca313c1353ac7e3899f168fc8d44eafbe064193353b8b16f92113288ff2102c47623b542861440c414b8acf36d75c4ad645d4d |
memory/3516-9-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3516-10-0x0000000002010000-0x0000000002040000-memory.dmp