Analysis Overview
SHA256
780cac5aa91de29b5f3fd7e3756d9fe5a19c2df750b327153aeb79d7f3b4eb50
Threat Level: Shows suspicious behavior
The file e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:50
Reported
2024-04-07 18:53
Platform
win7-20240220-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FSAV32 = "C:\\Windows\\wDaLrZMLGKEKpG3.exe" | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wDaLrZMLGKEKpG3.exe | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\wDaLrZMLGKEKpG3.exe | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2284 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2284 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2284 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1472
Network
| Country | Destination | Domain | Proto |
| AT | 129.27.9.247:6667 | tcp | |
| US | 192.169.130.198:139 | tcp | |
| US | 52.107.26.41:139 | tcp | |
| GB | 86.134.71.55:139 | tcp | |
| JP | 221.75.2.243:139 | tcp | |
| NL | 93.88.152.162:139 | tcp | |
| CA | 142.2.187.100:139 | tcp | |
| GB | 86.169.142.235:139 | tcp | |
| IT | 217.59.219.35:139 | tcp | |
| UY | 190.134.43.81:139 | tcp | |
| US | 104.86.90.15:139 | tcp | |
| IN | 13.207.24.85:139 | tcp | |
| GB | 90.252.173.80:139 | tcp | |
| US | 26.98.52.251:139 | tcp | |
| US | 71.252.84.189:139 | tcp | |
| NZ | 104.84.48.222:139 | tcp | |
| JP | 112.138.222.65:139 | tcp | |
| US | 207.88.131.165:139 | tcp | |
| NL | 62.133.213.23:139 | tcp | |
| US | 209.113.195.16:139 | tcp | |
| CA | 207.162.93.79:139 | tcp | |
| US | 48.120.19.197:139 | tcp | |
| US | 129.116.10.136:139 | tcp | |
| CN | 122.64.22.178:139 | tcp | |
| RU | 95.189.184.156:139 | tcp | |
| IT | 88.43.97.203:139 | tcp | |
| US | 74.6.162.115:139 | tcp | |
| RU | 31.162.5.45:139 | tcp | |
| KR | 182.198.125.145:139 | tcp | |
| N/A | 10.127.43.38:139 | tcp | |
| N/A | 127.136.204.143:139 | tcp | |
| N/A | 127.136.204.143:445 | tcp |
Files
memory/2284-3-0x0000000000400000-0x0000000000412000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:50
Reported
2024-04-07 18:53
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MCUPDATE = "C:\\Windows\\ekblQopApbstux.exe" | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ekblQopApbstux.exe | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\ekblQopApbstux.exe | C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e59dd96bef29fac45d632ec27863c6fd_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| AT | 129.27.9.247:6667 | tcp | |
| US | 212.124.118.75:139 | tcp | |
| US | 33.199.171.172:139 | tcp | |
| US | 174.242.231.167:139 | tcp | |
| US | 65.124.58.142:139 | tcp | |
| DE | 129.233.130.69:139 | tcp | |
| KR | 116.46.27.95:139 | tcp | |
| US | 65.196.219.123:139 | tcp | |
| US | 192.169.25.143:139 | tcp | |
| US | 99.157.91.23:139 | tcp | |
| CN | 58.35.173.237:139 | tcp | |
| US | 168.21.227.137:139 | tcp | |
| SA | 100.210.125.140:139 | tcp | |
| US | 30.95.159.149:139 | tcp | |
| US | 192.190.148.207:139 | tcp | |
| ZA | 168.128.8.130:139 | tcp | |
| US | 170.23.128.30:139 | tcp | |
| TW | 106.105.226.236:139 | tcp | |
| US | 38.93.248.212:139 | tcp | |
| N/A | 162.252.53.22:139 | tcp | |
| SG | 119.234.40.235:139 | tcp | |
| US | 107.219.238.141:139 | tcp | |
| US | 150.114.48.77:139 | tcp | |
| AU | 115.131.150.100:139 | tcp | |
| BR | 179.127.100.210:139 | tcp | |
| CN | 218.14.90.183:139 | tcp | |
| FR | 109.210.51.27:139 | tcp | |
| US | 54.177.229.129:139 | tcp | |
| US | 67.242.35.226:139 | tcp | |
| KE | 154.152.150.217:139 | tcp | |
| N/A | 10.127.4.197:139 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 212.124.118.75:445 | tcp | |
| US | 174.242.231.167:445 | tcp | |
| US | 65.124.58.142:445 | tcp | |
| US | 33.199.171.172:445 | tcp | |
| KR | 116.46.27.95:445 | tcp | |
| DE | 129.233.130.69:445 | tcp | |
| US | 192.169.25.143:445 | tcp | |
| US | 65.196.219.123:445 | tcp | |
| US | 99.157.91.23:445 | tcp | |
| US | 168.21.227.137:445 | tcp | |
| CN | 58.35.173.237:445 | tcp | |
| US | 192.190.148.207:445 | tcp | |
| US | 30.95.159.149:445 | tcp | |
| ZA | 168.128.8.130:445 | tcp | |
| SA | 100.210.125.140:445 | tcp | |
| N/A | 162.252.53.22:445 | tcp | |
| US | 170.23.128.30:445 | tcp | |
| TW | 106.105.226.236:445 | tcp | |
| US | 150.114.48.77:445 | tcp | |
| US | 38.93.248.212:445 | tcp | |
| SG | 119.234.40.235:445 | tcp | |
| FR | 109.210.51.27:445 | tcp | |
| US | 107.219.238.141:445 | tcp | |
| KE | 154.152.150.217:445 | tcp | |
| AU | 115.131.150.100:445 | tcp | |
| BR | 179.127.100.210:445 | tcp | |
| US | 54.177.229.129:445 | tcp | |
| CN | 218.14.90.183:445 | tcp | |
| US | 67.242.35.226:445 | tcp | |
| N/A | 10.127.4.197:445 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CN | 42.221.241.139:139 | tcp | |
| PE | 45.232.107.168:139 | tcp | |
| US | 71.148.48.197:139 | tcp | |
| US | 65.202.107.46:139 | tcp | |
| JP | 60.60.14.154:139 | tcp | |
| BR | 190.107.160.68:139 | tcp | |
| CA | 99.223.19.197:139 | tcp | |
| DE | 185.207.156.185:139 | tcp | |
| GR | 62.74.126.17:139 | tcp | |
| US | 29.206.184.29:139 | tcp | |
| US | 149.169.71.192:139 | tcp | |
| US | 129.37.142.27:139 | tcp | |
| CN | 110.250.150.28:139 | tcp | |
| US | 54.146.85.101:139 | tcp | |
| DE | 141.51.255.102:139 | tcp | |
| CN | 101.123.188.184:139 | tcp | |
| IN | 117.252.51.229:139 | tcp | |
| AU | 121.209.238.232:139 | tcp | |
| US | 11.167.142.24:139 | tcp | |
| US | 32.57.173.140:139 | tcp | |
| JP | 133.233.223.28:139 | tcp | |
| GB | 25.24.75.24:139 | tcp | |
| CA | 70.68.116.49:139 | tcp | |
| RO | 89.122.34.33:139 | tcp | |
| N/A | 172.19.139.24:139 | tcp | |
| US | 192.169.144.220:139 | tcp | |
| US | 128.145.165.128:139 | tcp | |
| US | 3.237.221.146:139 | tcp | |
| ES | 82.86.20.197:139 | tcp | |
| N/A | 10.127.149.232:139 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| US | 149.169.71.192:445 | tcp | |
| PE | 45.232.107.168:445 | tcp | |
| US | 65.202.107.46:445 | tcp | |
| CN | 42.221.241.139:445 | tcp | |
| JP | 60.60.14.154:445 | tcp | |
| US | 71.148.48.197:445 | tcp | |
| DE | 185.207.156.185:445 | tcp | |
| BR | 190.107.160.68:445 | tcp | |
| GR | 62.74.126.17:445 | tcp | |
| CA | 99.223.19.197:445 | tcp | |
| DE | 141.51.255.102:445 | tcp | |
| US | 29.206.184.29:445 | tcp | |
| JP | 133.233.223.28:445 | tcp | |
| US | 129.37.142.27:445 | tcp | |
| CN | 110.250.150.28:445 | tcp | |
| CA | 70.68.116.49:445 | tcp | |
| N/A | 172.19.139.24:445 | tcp | |
| US | 54.146.85.101:445 | tcp | |
| US | 128.145.165.128:445 | tcp | |
| US | 3.237.221.146:445 | tcp | |
| CN | 101.123.188.184:445 | tcp | |
| ES | 82.86.20.197:445 | tcp | |
| IN | 117.252.51.229:445 | tcp | |
| N/A | 10.127.149.232:445 | tcp | |
| US | 11.167.142.24:445 | tcp | |
| AU | 121.209.238.232:445 | tcp | |
| US | 32.57.173.140:445 | tcp | |
| GB | 25.24.75.24:445 | tcp | |
| US | 192.169.144.220:445 | tcp | |
| RO | 89.122.34.33:445 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| BR | 150.163.86.27:139 | tcp | |
| US | 6.208.116.187:139 | tcp | |
| DE | 5.5.151.150:139 | tcp | |
| CA | 131.117.168.29:139 | tcp | |
| N/A | 10.127.16.14:139 | tcp | |
| GB | 81.144.2.83:139 | tcp | |
| US | 44.235.206.223:139 | tcp | |
| JP | 126.197.69.233:139 | tcp | |
| US | 75.101.150.18:139 | tcp | |
| CA | 206.75.69.126:139 | tcp | |
| US | 20.140.100.12:139 | tcp | |
| US | 40.220.230.190:139 | tcp | |
| PL | 185.212.41.225:139 | tcp | |
| US | 19.99.118.218:139 | tcp | |
| KR | 210.178.53.164:139 | tcp | |
| SE | 88.144.117.111:139 | tcp | |
| US | 66.153.70.127:139 | tcp | |
| US | 18.174.159.226:139 | tcp | |
| JP | 219.42.216.240:139 | tcp | |
| AU | 203.53.104.32:139 | tcp | |
| IN | 27.6.214.166:139 | tcp | |
| IL | 132.66.83.200:139 | tcp | |
| US | 170.146.59.130:139 | tcp | |
| SY | 94.47.4.19:139 | tcp | |
| US | 192.169.9.14:139 | tcp | |
| NL | 145.104.19.170:139 | tcp | |
| US | 11.43.149.12:139 | tcp | |
| ES | 62.175.109.79:139 | tcp | |
| JP | 123.198.12.201:139 | tcp | |
| MX | 189.220.213.58:139 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BR | 150.163.86.27:445 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| US | 6.208.116.187:445 | tcp | |
| DE | 5.5.151.150:445 | tcp | |
| US | 75.101.150.18:445 | tcp | |
| US | 20.140.100.12:445 | tcp | |
| PL | 185.212.41.225:445 | tcp | |
| CA | 131.117.168.29:445 | tcp | |
| GB | 81.144.2.83:445 | tcp | |
| US | 44.235.206.223:445 | tcp | |
| US | 19.99.118.218:445 | tcp | |
| N/A | 10.127.16.14:445 | tcp | |
| JP | 126.197.69.233:445 | tcp | |
| CA | 206.75.69.126:445 | tcp | |
| US | 40.220.230.190:445 | tcp | |
| KR | 210.178.53.164:445 | tcp | |
| SE | 88.144.117.111:445 | tcp | |
| JP | 219.42.216.240:445 | tcp | |
| US | 66.153.70.127:445 | tcp | |
| IN | 27.6.214.166:445 | tcp | |
| US | 18.174.159.226:445 | tcp | |
| US | 170.146.59.130:445 | tcp | |
| AU | 203.53.104.32:445 | tcp | |
| IL | 132.66.83.200:445 | tcp | |
| SY | 94.47.4.19:445 | tcp | |
| US | 192.169.9.14:445 | tcp | |
| US | 11.43.149.12:445 | tcp | |
| MX | 189.220.213.58:445 | tcp | |
| NL | 145.104.19.170:445 | tcp | |
| ES | 62.175.109.79:445 | tcp | |
| JP | 123.198.12.201:445 | tcp | |
| CN | 114.222.82.215:139 | tcp | |
| JP | 119.83.162.147:139 | tcp | |
| FI | 146.211.192.39:139 | tcp | |
| IT | 95.234.114.180:139 | tcp | |
| JP | 180.22.229.149:139 | tcp | |
| US | 108.184.178.202:139 | tcp | |
| US | 68.49.170.193:139 | tcp | |
| NL | 142.252.163.116:139 | tcp | |
| CN | 183.15.199.52:139 | tcp | |
| US | 108.125.208.96:139 | tcp | |
| US | 199.239.252.41:139 | tcp | |
| JP | 221.57.117.105:139 | tcp | |
| HK | 154.86.179.144:139 | tcp | |
| US | 96.136.214.45:139 | tcp | |
| US | 173.72.127.144:139 | tcp | |
| N/A | 10.127.112.207:139 | tcp | |
| CN | 124.117.49.214:139 | tcp | |
| JP | 222.226.231.244:139 | tcp | |
| US | 54.230.252.6:139 | tcp | |
| US | 192.195.249.206:139 | tcp | |
| ES | 90.171.159.120:139 | tcp | |
| US | 134.173.248.156:139 | tcp | |
| DE | 84.44.129.58:139 | tcp | |
| US | 169.25.72.145:139 | tcp | |
| US | 108.80.54.159:139 | tcp | |
| JP | 133.30.49.218:139 | tcp | |
| US | 192.169.6.240:139 | tcp | |
| NL | 185.228.196.189:139 | tcp | |
| US | 108.37.60.94:139 | tcp | |
| US | 32.62.193.125:139 | tcp | |
| AT | 129.27.9.247:6667 | tcp | |
| CN | 114.222.82.215:445 | tcp | |
| JP | 119.83.162.147:445 | tcp | |
| FI | 146.211.192.39:445 | tcp | |
| IT | 95.234.114.180:445 | tcp | |
| JP | 180.22.229.149:445 | tcp | |
| US | 108.184.178.202:445 | tcp | |
| CN | 183.15.199.52:445 | tcp | |
| US | 108.125.208.96:445 | tcp | |
| US | 199.239.252.41:445 | tcp | |
| US | 68.49.170.193:445 | tcp | |
| JP | 221.57.117.105:445 | tcp | |
| N/A | 10.127.112.207:445 | tcp | |
| NL | 142.252.163.116:445 | tcp | |
| US | 192.195.249.206:445 | tcp | |
| HK | 154.86.179.144:445 | tcp | |
| US | 134.173.248.156:445 | tcp | |
| US | 96.136.214.45:445 | tcp | |
| US | 173.72.127.144:445 | tcp | |
| CN | 124.117.49.214:445 | tcp | |
| JP | 222.226.231.244:445 | tcp | |
| ES | 90.171.159.120:445 | tcp | |
| US | 54.230.252.6:445 | tcp | |
| US | 169.25.72.145:445 | tcp | |
| DE | 84.44.129.58:445 | tcp | |
| US | 108.80.54.159:445 | tcp | |
| US | 108.37.60.94:445 | tcp | |
| JP | 133.30.49.218:445 | tcp | |
| US | 192.169.6.240:445 | tcp | |
| NL | 185.228.196.189:445 | tcp | |
| US | 32.62.193.125:445 | tcp |
Files
memory/4596-3-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-5-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-7-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-10-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-12-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-13-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4596-15-0x0000000000400000-0x0000000000412000-memory.dmp