Analysis Overview
SHA256
bebc94d1ba964a1cc1b23acfeb8b4ec4a5457649cf203e58c0e93c0161a0bf78
Threat Level: Known bad
The file f8c6f91efa4817c54c437e33b9846157_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-18 21:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 21:21
Reported
2024-04-18 21:24
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programes\Power\ll.exe | N/A |
| N/A | N/A | C:\Programes\Power\lol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Programes\Power\lol.exe:Zone.Identifier | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programes\Power\lol.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"
C:\Programes\Power\ll.exe
"C:\Programes\Power\ll.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\55ED.tmp\55FD.tmp\55FE.bat C:\Programes\Power\ll.exe"
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Programes\Power\prev.pptx"
C:\Programes\Power\lol.exe
lol.exe
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| GE | 176.221.252.198:4444 | tcp |
Files
\Programes\Power\ll.exe
| MD5 | f59d5f571baa32085623e50216883cb0 |
| SHA1 | c53dc803a0a18d3ab05259bb92abbf3182747d6b |
| SHA256 | d8d00188183ae4f36c1ca2bc2e2301314ed03fc0661dd7f549e3a979f896ca4c |
| SHA512 | fecb7c03a8d9f1603b00c0939cb40072ab661714dce73b0d4b702532ab44183e07776ca555817e8d677d2528f19317845bbf2628ac76708d4bae75ba6eeb44b7 |
C:\Users\Admin\AppData\Local\Temp\55ED.tmp\55FD.tmp\55FE.bat
| MD5 | ba6af7d6d40086090929b59917b75dd5 |
| SHA1 | c4f88f42320df939bec38ce8d7d3b6c6d5f7c5db |
| SHA256 | 0c7af3fddd012303c3d1ee4e366852ad00dcf1723b7c813b7bffe4581abb360f |
| SHA512 | 2a978e37e45aeb5ec39aa8c15596d43799d41dc541f3b2a4568d309d89b313dde7e442a027cf58ecd6292a22d1e47809aeb35cc5142a475e5f5e67faafa2be53 |
C:\Programes\Power\lol.exe:Zone.Identifier
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
C:\Programes\Power\lol.exe
| MD5 | bb1f9c3f2eb93358942d23995990b254 |
| SHA1 | 9303c176a3f5c409381af91bc86160fc2cc483ba |
| SHA256 | 68f45370a0e05bcbca4b88cdc66fbd9c6f895cbec3f4e42d50e32011f02c1eea |
| SHA512 | 1396cc3105e6a0deb633a04150a372f3451f4b1bd09bfa3acdbb4197aff0d558a8ed614993eb19120031904da344dc5f47b8e461e49fb63da7ea115d042b40ca |
memory/2444-27-0x000000002DDC1000-0x000000002DDC2000-memory.dmp
memory/2444-28-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2444-29-0x0000000071EDD000-0x0000000071EE8000-memory.dmp
memory/2472-31-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Programes\Power\prev.pptx
| MD5 | d1ad83616f64413a9afa8d55acad1e23 |
| SHA1 | e61e00403eb66d26dfe97c654af3d6e30e674927 |
| SHA256 | 532305013971d96ce6a7958a1d5fe19b620b8efb515f33304f66e8abb07dd4d3 |
| SHA512 | 91c79a61341c9d3f19ef072e19f4eb29a56af6543934d757e2f24abc90d0d8a823331fde9f93c7d4260ada64ef9ecce7f14c65fb69b791529b4578edfde2ca5f |
memory/2444-43-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2444-44-0x0000000071EDD000-0x0000000071EE8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-18 21:21
Reported
2024-04-18 21:24
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
138s
Command Line
Signatures
MetaSploit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Programes\Power\ll.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programes\Power\ll.exe | N/A |
| N/A | N/A | C:\Programes\Power\lol.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Programes\Power\lol.exe:Zone.Identifier | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"
C:\Programes\Power\ll.exe
"C:\Programes\Power\ll.exe"
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Programes\Power\prev.pptx" /ou ""
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\94AE.tmp\94AF.tmp\94B0.bat C:\Programes\Power\ll.exe"
C:\Programes\Power\lol.exe
lol.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| GE | 176.221.252.198:4444 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
C:\Programes\Power\ll.exe
| MD5 | f59d5f571baa32085623e50216883cb0 |
| SHA1 | c53dc803a0a18d3ab05259bb92abbf3182747d6b |
| SHA256 | d8d00188183ae4f36c1ca2bc2e2301314ed03fc0661dd7f549e3a979f896ca4c |
| SHA512 | fecb7c03a8d9f1603b00c0939cb40072ab661714dce73b0d4b702532ab44183e07776ca555817e8d677d2528f19317845bbf2628ac76708d4bae75ba6eeb44b7 |
C:\Programes\Power\prev.pptx
| MD5 | d1ad83616f64413a9afa8d55acad1e23 |
| SHA1 | e61e00403eb66d26dfe97c654af3d6e30e674927 |
| SHA256 | 532305013971d96ce6a7958a1d5fe19b620b8efb515f33304f66e8abb07dd4d3 |
| SHA512 | 91c79a61341c9d3f19ef072e19f4eb29a56af6543934d757e2f24abc90d0d8a823331fde9f93c7d4260ada64ef9ecce7f14c65fb69b791529b4578edfde2ca5f |
memory/3340-17-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-18-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-20-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-21-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-22-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-19-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-24-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-25-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-23-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-26-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94AE.tmp\94AF.tmp\94B0.bat
| MD5 | ba6af7d6d40086090929b59917b75dd5 |
| SHA1 | c4f88f42320df939bec38ce8d7d3b6c6d5f7c5db |
| SHA256 | 0c7af3fddd012303c3d1ee4e366852ad00dcf1723b7c813b7bffe4581abb360f |
| SHA512 | 2a978e37e45aeb5ec39aa8c15596d43799d41dc541f3b2a4568d309d89b313dde7e442a027cf58ecd6292a22d1e47809aeb35cc5142a475e5f5e67faafa2be53 |
memory/3340-28-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
C:\Programes\Power\lol.exe:Zone.Identifier
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
memory/3340-32-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-33-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-31-0x00007FFC129B0000-0x00007FFC129C0000-memory.dmp
memory/3340-34-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-36-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-35-0x00007FFC129B0000-0x00007FFC129C0000-memory.dmp
memory/3340-37-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-38-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-39-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-40-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-41-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-42-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
memory/3340-43-0x00007FFC55290000-0x00007FFC55485000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 37bfa7e4024092f51555e1fbf3140751 |
| SHA1 | 7c68c2d66281c5ac2c1b9b2a6ec164864370f790 |
| SHA256 | 33c9be9190f3dd9aadc78d6978d413b20a1ded86c7902149dfdfd2b87c750b7e |
| SHA512 | 558a6ebfcad0aa957498586ccf11bd578eab281355f9310657095d906669e0a6ce8490266d1eca9d41b216171ae51ad8e4d4b3dcc24ca212e82c78f0e7816891 |
C:\Programes\Power\lol.exe
| MD5 | bb1f9c3f2eb93358942d23995990b254 |
| SHA1 | 9303c176a3f5c409381af91bc86160fc2cc483ba |
| SHA256 | 68f45370a0e05bcbca4b88cdc66fbd9c6f895cbec3f4e42d50e32011f02c1eea |
| SHA512 | 1396cc3105e6a0deb633a04150a372f3451f4b1bd09bfa3acdbb4197aff0d558a8ed614993eb19120031904da344dc5f47b8e461e49fb63da7ea115d042b40ca |
memory/4428-69-0x0000000000580000-0x0000000000581000-memory.dmp
memory/3340-79-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-80-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-81-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-82-0x00007FFC15310000-0x00007FFC15320000-memory.dmp
memory/3340-83-0x00007FFC55290000-0x00007FFC55485000-memory.dmp