Analysis Overview
SHA256
236ca0957bdaf2fe0e37be4482dd52369e0680e3838258162c10db27a2861de3
Threat Level: Shows suspicious behavior
The file e648282656e67d02140b1f8346ca84ce_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 01:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 01:05
Reported
2024-04-08 01:08
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Reads user/profile data of web browsers
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2340 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2340 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2340 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\626.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.softologic.com | udp |
| US | 13.248.169.48:80 | www.softologic.com | tcp |
| US | 8.8.8.8:53 | api.mixpanel.com | udp |
| US | 130.211.34.183:80 | api.mixpanel.com | tcp |
Files
memory/2340-0-0x0000000010000000-0x0000000010134000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\626.bat
| MD5 | 2d55d29db16e7dc9b13d0cffe7c9741d |
| SHA1 | 51d78315a6757707d0cfba6289d4df6ebafc7fbc |
| SHA256 | 6abe54e56c39a3f61e5d8c5123691365832a47f311878aec808242e775168ad8 |
| SHA512 | 2ec87d42b16d8ded32e1106816622826f9fff8bd4a725cc8b0ddd673598fd568be59c6f4cdf36f8943c1673bc0c5766a39e28fbde680efc657e76163af63da2f |
C:\Users\Admin\AppData\Local\Temp\803975.exe
| MD5 | e648282656e67d02140b1f8346ca84ce |
| SHA1 | ad3a3314292c48307d3de710aee4c96d801c9a44 |
| SHA256 | 236ca0957bdaf2fe0e37be4482dd52369e0680e3838258162c10db27a2861de3 |
| SHA512 | e6ea4720a54ce1ef4455b142c2c6bbed06b7e6d07d50c4230d54b77be219350ec7323a6442f2fa37fd023faecb3f5067abd2819d5907a67da608a893b08aa7dd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 01:05
Reported
2024-04-08 01:08
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
128s
Command Line
Signatures
Reads user/profile data of web browsers
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4356 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4356 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4356 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e648282656e67d02140b1f8346ca84ce_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\484.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.softologic.com | udp |
| US | 13.248.169.48:80 | www.softologic.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.mixpanel.com | udp |
| US | 107.178.240.159:80 | api.mixpanel.com | tcp |
| US | 8.8.8.8:53 | 159.240.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/4356-0-0x0000000010000000-0x0000000010134000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\484.bat
| MD5 | dc8515cf14ea618adde9fe241bc9a874 |
| SHA1 | 7203882cc500acc2ac03ca358af38f31b5b56564 |
| SHA256 | 308cc18f0634f726b1dafcf19bb20b71013de9a6f7c6a6713c05eb337c5b9817 |
| SHA512 | b3d16035bd9f7c3b78872ee5d8893019ce201624620b7e199cd769114409042e266b4ec7988de499e56e9625a5cfbebb42501e6cb91c8278f77387a7a73e8435 |
C:\Users\Admin\AppData\Local\Temp\803975.exe
| MD5 | e648282656e67d02140b1f8346ca84ce |
| SHA1 | ad3a3314292c48307d3de710aee4c96d801c9a44 |
| SHA256 | 236ca0957bdaf2fe0e37be4482dd52369e0680e3838258162c10db27a2861de3 |
| SHA512 | e6ea4720a54ce1ef4455b142c2c6bbed06b7e6d07d50c4230d54b77be219350ec7323a6442f2fa37fd023faecb3f5067abd2819d5907a67da608a893b08aa7dd |