Analysis Overview
SHA256
4799ad9f38b0233b64b8a675ba67a14988c2be3a36e50140b136c55cf585b810
Threat Level: Shows suspicious behavior
The file f0a94fa88917463ade3432563abff492_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 08:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 08:28
Reported
2024-04-15 08:31
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mscorews.dll | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscorews.dll" | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib\ = "{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}" | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\ = "mscorews" | C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp
"C:\Users\Admin\AppData\Local\Temp\sxe37C5.tmp"
Network
Files
\Users\Admin\AppData\Local\Temp\sxe37B3.tmp
| MD5 | bd815b61f9948f93aface4033fbb4423 |
| SHA1 | b5391484009b39053fc8b1bba63d444969bafcfa |
| SHA256 | b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76 |
| SHA512 | a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71 |
\Users\Admin\AppData\Local\Temp\sxe37C5.tmp
| MD5 | f722de53e7fffed004aea381ac288f01 |
| SHA1 | d6a947522f04bd4ffe94b0b9d5ccdeef896e4c24 |
| SHA256 | e776807e089b866575c6c7a80e65762ed1f5c6beca5b0545636cad27f6f72790 |
| SHA512 | e777dd471f99e523b853606c81bf51e2d64191f72acf42fc3cadee621d02169b96580b02f5ad4ff3cd9ee24f117c741a13080e149ed82e8d3c6aa5dc7e478970 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 08:28
Reported
2024-04-15 08:31
Platform
win10v2004-20240412-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mscorews.dll | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib\ = "{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}" | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\ = "mscorews" | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscorews.dll" | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2900 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp |
| PID 2900 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp |
| PID 2900 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0a94fa88917463ade3432563abff492_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp
"C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\sxe83C6.tmp
| MD5 | bd815b61f9948f93aface4033fbb4423 |
| SHA1 | b5391484009b39053fc8b1bba63d444969bafcfa |
| SHA256 | b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76 |
| SHA512 | a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71 |
C:\Users\Admin\AppData\Local\Temp\sxe83D8.tmp
| MD5 | f722de53e7fffed004aea381ac288f01 |
| SHA1 | d6a947522f04bd4ffe94b0b9d5ccdeef896e4c24 |
| SHA256 | e776807e089b866575c6c7a80e65762ed1f5c6beca5b0545636cad27f6f72790 |
| SHA512 | e777dd471f99e523b853606c81bf51e2d64191f72acf42fc3cadee621d02169b96580b02f5ad4ff3cd9ee24f117c741a13080e149ed82e8d3c6aa5dc7e478970 |