Analysis Overview
SHA256
411b208b31f28b5feb2a560f2966ca93f6000949b9f78325baf2f16261989cfb
Threat Level: Known bad
The file e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Expiro, m0yv
Expiro payload
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-08 21:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 21:43
Reported
2024-04-08 21:46
Platform
win7-20240221-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Expiro, m0yv
Expiro payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3036 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3036 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3036 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 156
Network
Files
memory/3036-0-0x000000004A190000-0x000000004A2D3000-memory.dmp
memory/3036-3-0x000000004A190000-0x000000004A2D3000-memory.dmp
memory/3036-1-0x000000004A190000-0x000000004A2D3000-memory.dmp
memory/3036-4-0x000000004A190000-0x000000004A2D3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 21:43
Reported
2024-04-08 21:46
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Expiro, m0yv
Expiro payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\SysWOW64\svchost.exe | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e87bd5de0d9542afa5f0c850913e397f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 740 -ip 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 276
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/740-0-0x000000004A1B0000-0x000000004A2F3000-memory.dmp
memory/740-1-0x000000004A1B0000-0x000000004A2F3000-memory.dmp
memory/740-3-0x000000004A1B0000-0x000000004A2F3000-memory.dmp
C:\Users\Admin\AppData\Local\pnbjdjjq\addokdcg.tmp
| MD5 | a48e03f4b544d4c38a20dfea60e53541 |
| SHA1 | feeb06620dfebe37e7afe91f901a4271770d106d |
| SHA256 | 55c97ac22be11253f141e7dadf2ecdd9798334dcc91e6947d9844f1935308a85 |
| SHA512 | 3fc1ad33c06ede33b1d52d4a5220f38dc79af6d063ea7e36b66fea3508f5ac72311055f2ae7bbfbb67462951ab0cd06d7a3c58ef52f0832c2883f5456ccb946c |
memory/740-12-0x000000004A1B0000-0x000000004A2F3000-memory.dmp