Analysis Overview
SHA256
e7c017101889f4560a4762d9d8ec6d52df0fd547cc304789c8ecdfb585a52fac
Threat Level: Known bad
The file fe322d3f592d0d527909c78b19c9723c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Modifies Installed Components in the registry
UPX packed file
Adds Run key to start application
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-21 02:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 02:15
Reported
2024-04-21 02:17
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U} | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe Restart" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3224 -ip 3224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3224 -ip 3224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 552
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| BE | 2.17.197.240:80 | tcp | |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3224-1-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3224-2-0x0000000000600000-0x0000000000604000-memory.dmp
memory/3224-3-0x0000000002200000-0x0000000002225000-memory.dmp
memory/3224-4-0x0000000002510000-0x0000000002520000-memory.dmp
memory/3224-5-0x0000000002700000-0x0000000002710000-memory.dmp
memory/3224-6-0x0000000077302000-0x0000000077303000-memory.dmp
memory/3224-7-0x0000000002310000-0x0000000002320000-memory.dmp
memory/3224-8-0x0000000077303000-0x0000000077304000-memory.dmp
memory/3224-9-0x0000000002510000-0x0000000002520000-memory.dmp
memory/3224-10-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3224-12-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3224-13-0x0000000002200000-0x0000000002225000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 02:15
Reported
2024-04-21 02:17
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U} | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57W8XE75-QVS0-3EQK-S03K-8K83IMX8LU7U}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe Restart" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe322d3f592d0d527909c78b19c9723c_JaffaCakes118.exe"
Network
Files
memory/2756-0-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2756-1-0x00000000003B0000-0x00000000003B4000-memory.dmp
memory/2756-3-0x0000000001F60000-0x0000000001F70000-memory.dmp
memory/2756-4-0x00000000775B0000-0x00000000775B1000-memory.dmp
memory/2756-2-0x00000000005F0000-0x0000000000615000-memory.dmp
memory/2756-5-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2756-7-0x00000000775B1000-0x00000000775B2000-memory.dmp
memory/2756-8-0x0000000001F10000-0x0000000001F20000-memory.dmp
memory/2756-6-0x0000000000800000-0x0000000000810000-memory.dmp
memory/2756-9-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2756-12-0x00000000005F0000-0x0000000000615000-memory.dmp
memory/2756-11-0x0000000000400000-0x0000000000459000-memory.dmp