Analysis Overview
SHA256
8b0122198f51599af74f7e40783bf8f8273e8c5bd1a0e0747161bb3fb74bff75
Threat Level: Known bad
The file 1e631e7635702a857b490331d7d0a8e4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
GandCrab payload
Gandcrab
Adds Run key to start application
Enumerates connected drives
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookAW
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 21:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 21:12
Reported
2024-05-06 21:15
Platform
win7-20240419-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wgsytzejvpg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xmxlpu.exe\"" | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | N/A |
Enumerates connected drives
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookAW
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2052 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2052 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2052 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 736
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipv4bot.whatismyipaddress.com | udp |
Files
memory/2052-2-0x0000000001E20000-0x0000000001E37000-memory.dmp
memory/2052-1-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2052-6-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2052-5-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2052-4-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2052-14-0x0000000000230000-0x0000000000330000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-06 21:12
Reported
2024-05-06 21:15
Platform
win10v2004-20240419-en
Max time kernel
129s
Max time network
98s
Command Line
Signatures
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe |
Suspicious use of SetWindowsHookAW
Processes
C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e631e7635702a857b490331d7d0a8e4_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1400 -ip 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 460
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1400-1-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1400-4-0x0000000000580000-0x0000000000680000-memory.dmp
memory/1400-5-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1400-2-0x0000000002210000-0x0000000002227000-memory.dmp