Analysis Overview
SHA256
abfeef7be079feca6478a96e982a5bfebae0334b87293abcf52a9806f2d9922d
Threat Level: Shows suspicious behavior
The file e63e26386d42b8fa9946472015e6a1af_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
UPX packed file
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 00:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 00:45
Reported
2024-04-08 00:48
Platform
win7-20231129-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lostpropaganda.net | udp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| US | 8.8.8.8:53 | separatemilkandtee.com | udp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 172.217.16.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | bookonlinecatalog.com | udp |
| HK | 154.211.84.30:80 | zonedg.com | tcp |
| DE | 172.217.16.196:80 | www.google.com | tcp |
| N/A | 127.0.0.1:62848 | tcp |
Files
memory/2344-3-0x0000000000520000-0x0000000000620000-memory.dmp
memory/2344-1-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Roaming\38F5.34A
| MD5 | d96340c72428b7cf865e7f5a89da222d |
| SHA1 | 34762e886aaa8cb09ddf6561a2e891ef964eb604 |
| SHA256 | 638bf10c28392bb63a801ef61637686daa3ba2d04fac84472832335b3071ecce |
| SHA512 | 957c98af73ff372a792d26b2a7d01e86bfdd8927074e61ab1b31711f054e8fef9d0cf2d660fbe39b9564933370b87cd4f88d0e9e7937d2e49da2ab82c96be881 |
memory/2840-18-0x000000000050A000-0x0000000000524000-memory.dmp
memory/2840-17-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Roaming\38F5.34A
| MD5 | 1e6d2d7e32fca9fcd02df818ae8cc846 |
| SHA1 | dc0d4d8f3eda452536da04b35957d2a72e79929e |
| SHA256 | 50aa345e89e07461c16f999cebd9a53d5e93447ca1ebd88d872e2f24c3467cf9 |
| SHA512 | 5d4b3870ee544b5db43140e0580af6c24f9b0a65c9eb59e5ded2cdf477e323019938b5ae67185cbf74538d32267630b42e1d21efdd97acdbe7d868088d396308 |
C:\Users\Admin\AppData\Roaming\38F5.34A
| MD5 | 29ba369811ffa5632a2131d0d533734b |
| SHA1 | 89fd8bac1947857a4ec2e8ca2c4fd4d23f72b514 |
| SHA256 | 597852d533a166c93437481afbe6d6a6d88a4a484b0b81c5cd20f623f64e813e |
| SHA512 | 0f741511e8510b115eaea6f767ed0da7739dbfd3e6c390ff0aa51b4f56e3f4cd2859a321d130180743bf58f7b03fbbbd77f2f724e5d2d6bb02e3922d210c1079 |
memory/2436-85-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2436-87-0x0000000000549000-0x0000000000564000-memory.dmp
memory/2344-86-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2344-88-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2344-89-0x0000000000520000-0x0000000000620000-memory.dmp
C:\Users\Admin\AppData\Roaming\38F5.34A
| MD5 | 7b6ac1178cd5a255f984d0a7e78c791d |
| SHA1 | 61c5e9e35ec6319bdb8666420637976eed4cf0c3 |
| SHA256 | 4e3df651ccb6eb09e67c740280936831a06eeb6d5b8c38f432304607517afe51 |
| SHA512 | be0cad8f26589e8ea036de722d4cd8c9a8d186e67e9ab990f3143dfdd5b883230f7abf54f48f25c9e34348b4225bf926294bce995e6dceacd758a8486e215c54 |
memory/2344-157-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2344-188-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2344-190-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2344-196-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 00:45
Reported
2024-04-08 00:48
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e63e26386d42b8fa9946472015e6a1af_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |