Analysis Overview
SHA256
6fcfad020b44b815dd35fed8fbc89e21630b8164f666aed014a3b76e9bb02504
Threat Level: Likely malicious
The file e64a67e4340c21816aaf063fba975543_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Disables taskbar notifications via registry modification
Reads user/profile data of web browsers
Drops file in Windows directory
Unsigned PE
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 01:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 01:10
Reported
2024-04-08 01:13
Platform
win7-20240215-en
Max time kernel
141s
Max time network
118s
Command Line
Signatures
Disables taskbar notifications via registry modification
Reads user/profile data of web browsers
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\d1161a75 | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\start\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\Content Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\start | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\open\command | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\open | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\start\command | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\start\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\ = "pzby" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\ = "Application" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\jbm.exe\" -a \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\runas | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pzby\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xaxymivirocis.com | udp |
| US | 8.8.8.8:53 | vuforazaj.com | udp |
| US | 8.8.8.8:53 | fyzybopufanuj.com | udp |
| US | 8.8.8.8:53 | nyzysemadyk.com | udp |
| US | 8.8.8.8:53 | gavotataran.com | udp |
| US | 8.8.8.8:53 | pubepujiwusiwy.com | udp |
| US | 8.8.8.8:53 | zetofyhecynovu.com | udp |
| US | 8.8.8.8:53 | hypulycyfaqaba.com | udp |
| US | 8.8.8.8:53 | rehudomydefe.com | udp |
| US | 8.8.8.8:53 | vequtycarykeg.com | udp |
| US | 8.8.8.8:53 | sesycifaqago.com | udp |
| US | 8.8.8.8:53 | lozebymova.com | udp |
| US | 8.8.8.8:53 | davizyzaky.com | udp |
| US | 8.8.8.8:53 | xopimynycerev.com | udp |
| US | 8.8.8.8:53 | sucejukas.com | udp |
| US | 8.8.8.8:53 | pulumacugefel.com | udp |
| US | 8.8.8.8:53 | nypucevys.com | udp |
| US | 8.8.8.8:53 | xonibawylabep.com | udp |
| US | 8.8.8.8:53 | sowevicekem.com | udp |
| US | 8.8.8.8:53 | wohocebutiqy.com | udp |
| US | 8.8.8.8:53 | nibycexadytyn.com | udp |
| US | 8.8.8.8:53 | bivuzygaden.com | udp |
| US | 8.8.8.8:53 | sabisocuci.com | udp |
| US | 8.8.8.8:53 | wohocebutiqy.com | udp |
| US | 8.8.8.8:53 | metuzamygyjo.com | udp |
| US | 8.8.8.8:53 | fazobugylov.com | udp |
| US | 8.8.8.8:53 | cajarihejeluw.com | udp |
| US | 8.8.8.8:53 | zokykajobu.com | udp |
| US | 8.8.8.8:53 | losajabevyjydu.com | udp |
| US | 8.8.8.8:53 | zokykajobu.com | udp |
| US | 8.8.8.8:53 | pekiwimozoha.com | udp |
| US | 8.8.8.8:53 | sabisocuci.com | udp |
| US | 8.8.8.8:53 | bivuxejak.com | udp |
| US | 8.8.8.8:53 | kofajisatum.com | udp |
| US | 8.8.8.8:53 | hijurefugeb.com | udp |
| US | 8.8.8.8:53 | bekukokymyje.com | udp |
| US | 8.8.8.8:53 | bekukokymyje.com | udp |
| US | 8.8.8.8:53 | suqyjuxumo.com | udp |
| US | 8.8.8.8:53 | juvizovih.com | udp |
| US | 8.8.8.8:53 | cimuxorazag.com | udp |
| US | 8.8.8.8:53 | netiqugerin.com | udp |
| US | 8.8.8.8:53 | qocakizali.com | udp |
| US | 8.8.8.8:53 | jihamisunos.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | wihasiwaji.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | cixizacakudyko.com | udp |
| US | 8.8.8.8:53 | qulygimokine.com | udp |
| US | 8.8.8.8:53 | dihojocitiz.com | udp |
| US | 8.8.8.8:53 | mimopywyn.com | udp |
| US | 8.8.8.8:53 | qobirawif.com | udp |
| US | 8.8.8.8:53 | gavywelugamoqe.com | udp |
| US | 8.8.8.8:53 | cikojavif.com | udp |
| US | 8.8.8.8:53 | rinysegaci.com | udp |
| US | 8.8.8.8:53 | mobesinolacuke.com | udp |
| US | 8.8.8.8:53 | xybobimaholos.com | udp |
| US | 8.8.8.8:53 | posubudiqof.com | udp |
| US | 8.8.8.8:53 | tucaxiqiwityp.com | udp |
Files
memory/2824-3-0x0000000000370000-0x0000000000371000-memory.dmp
memory/2824-5-0x0000000003740000-0x0000000003848000-memory.dmp
memory/2824-4-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-7-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-8-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-9-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-10-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-11-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-12-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-13-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-14-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-15-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-16-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-17-0x00000000003C0000-0x000000000040CA70-memory.dmp
memory/2824-18-0x00000000003C0000-0x000000000040CA70-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 01:10
Reported
2024-04-08 01:13
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e64a67e4340c21816aaf063fba975543_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xaxymivirocis.com | udp |
| US | 8.8.8.8:53 | vuforazaj.com | udp |
| US | 8.8.8.8:53 | fyzybopufanuj.com | udp |
| US | 8.8.8.8:53 | nyzysemadyk.com | udp |
| US | 8.8.8.8:53 | gavotataran.com | udp |
| US | 8.8.8.8:53 | pubepujiwusiwy.com | udp |
| US | 8.8.8.8:53 | zetofyhecynovu.com | udp |
| US | 8.8.8.8:53 | hypulycyfaqaba.com | udp |
| US | 8.8.8.8:53 | rehudomydefe.com | udp |
| US | 8.8.8.8:53 | vequtycarykeg.com | udp |
| US | 8.8.8.8:53 | sesycifaqago.com | udp |
| US | 8.8.8.8:53 | lozebymova.com | udp |
| US | 8.8.8.8:53 | davizyzaky.com | udp |
| US | 8.8.8.8:53 | wihasiwaji.com | udp |
| US | 8.8.8.8:53 | cixizacakudyko.com | udp |
| US | 8.8.8.8:53 | qulygimokine.com | udp |
| US | 8.8.8.8:53 | dihojocitiz.com | udp |
| US | 8.8.8.8:53 | mimopywyn.com | udp |
| US | 8.8.8.8:53 | qobirawif.com | udp |
| US | 8.8.8.8:53 | gavywelugamoqe.com | udp |
| US | 8.8.8.8:53 | cikojavif.com | udp |
| US | 8.8.8.8:53 | rinysegaci.com | udp |
| US | 8.8.8.8:53 | mobesinolacuke.com | udp |
| US | 8.8.8.8:53 | xybobimaholos.com | udp |
| US | 8.8.8.8:53 | posubudiqof.com | udp |
| US | 8.8.8.8:53 | tucaxiqiwityp.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/4032-3-0x00000000011C0000-0x00000000011C1000-memory.dmp
memory/4032-4-0x0000000000FE0000-0x000000000102CA70-memory.dmp
memory/4032-5-0x0000000003FF0000-0x00000000040F8000-memory.dmp
memory/4032-6-0x0000000000FE0000-0x000000000102CA70-memory.dmp