Analysis Overview
SHA256
8ff242a5decf90c7a1a9f98e621d347c0c8923d23d58b866713001676c00da60
Threat Level: Known bad
The file efca5b4c5fd58b63d0849b344da07356_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Expiro, m0yv
Expiro payload
Enumerates physical storage devices
Unsigned PE
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 06:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 06:25
Reported
2024-04-15 06:28
Platform
win7-20240221-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Expiro, m0yv
Expiro payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wab | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe"
Network
Files
memory/2212-0-0x0000000001000000-0x0000000001084000-memory.dmp
memory/2212-1-0x0000000001000000-0x0000000001084000-memory.dmp
memory/2212-2-0x0000000001000000-0x0000000001084000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 06:25
Reported
2024-04-15 06:28
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Expiro, m0yv
Expiro payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wab | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.vcf | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1" | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efca5b4c5fd58b63d0849b344da07356_JaffaCakes118.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
memory/3196-0-0x0000000001000000-0x0000000001084000-memory.dmp
memory/3196-1-0x0000000001000000-0x0000000001084000-memory.dmp
memory/3196-2-0x0000000001000000-0x0000000001084000-memory.dmp