Analysis Overview
SHA256
4d3341852934062b81cc8c0f6c3b1b0c76594998b1ef74a31caf79382790c1eb
Threat Level: Known bad
The file 2e448c667bcf8ad88fe4348710d16538_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
PrivateLoader
Executes dropped EXE
Loads dropped DLL
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 08:39
Signatures
Privateloader family
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 08:39
Reported
2024-05-10 08:42
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
PrivateLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe | N/A |
Loads dropped DLL
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe /q"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}" /IS_temp
Network
Files
C:\Users\Admin\AppData\Local\Temp\~26F3.tmp
| MD5 | 8fa3208d5b60ec974c2ddb2781842837 |
| SHA1 | 711a3b383d096261edd8be9c1fd19ea2458b356f |
| SHA256 | 48bc610ceb7407469ed19e7a90cc9739856000e71183ed9cabde7ca798766606 |
| SHA512 | e806bd270eba89de21b5f30f07fb49b9c1e2a3f9f88b43ac8a7d9650fee52f44376221d222ad0d339b18a38924fb9c05f3bf0ee741e1d3af376bbf24c9dfcf53 |
\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
| MD5 | 2e448c667bcf8ad88fe4348710d16538 |
| SHA1 | 8064fbca3b789366511fb3c87a9582e43b349e88 |
| SHA256 | 4d3341852934062b81cc8c0f6c3b1b0c76594998b1ef74a31caf79382790c1eb |
| SHA512 | e24360da0a24d0ef56d67a1601d1909e925e2b9c519be08fecf535db3ea14ecd8441596991f02b953858d6c2525fa900ed34f9bd44bac308212346101cf584d4 |
C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\_ISMSIDEL.INI
| MD5 | 96739555b12a230d46deaef794ac97c3 |
| SHA1 | 4ffdeb148fb1b94e21cd8377aab8e75df7a60ec6 |
| SHA256 | cf70df7cb299f916118f1b2a3e714195abc173a4577e656dd38cefc2b95f5f64 |
| SHA512 | fde11f578f94075be14b6a2bae99b4c87054bdb6787237a547b9fbebc8c605473b74364569a4306c3b2864c884a7bc9b02977f0e7e891e0e1416ed5c1b121088 |
C:\Users\Admin\AppData\Local\Temp\{04301CC6-F813-4C94-A5C3-6BC87EE3574D}\0x0411.ini
| MD5 | 76d722f8c2ba980e0f1ed27d09bb0da9 |
| SHA1 | 313c885aa60959817b1cd9923d6ea0a780cf540f |
| SHA256 | 01b8625a29db41e0a190c0634ef3ee4f0878d2b56c92a407018b97bdf4ed7e7d |
| SHA512 | e60d12477299892a93c596757c435f58b1818fd0b3cf154c822cd6f96249610cad7eb7e7f63fca563b401eab1296b4a7831377fb32c9437a3a506405e1b8a5f5 |
\Users\Admin\AppData\Local\Temp\_is27ED..dll
| MD5 | 0ce4d3bd306da6d1f6f233c403f5b667 |
| SHA1 | 15dd2e31c5e9dc223befc5cfb6ca01737b262412 |
| SHA256 | 6428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad |
| SHA512 | 4275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 08:39
Reported
2024-05-10 08:42
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
PrivateLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe /q"C:\Users\Admin\AppData\Local\Temp\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}" /IS_temp
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 139.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~E36D.tmp
| MD5 | 8fa3208d5b60ec974c2ddb2781842837 |
| SHA1 | 711a3b383d096261edd8be9c1fd19ea2458b356f |
| SHA256 | 48bc610ceb7407469ed19e7a90cc9739856000e71183ed9cabde7ca798766606 |
| SHA512 | e806bd270eba89de21b5f30f07fb49b9c1e2a3f9f88b43ac8a7d9650fee52f44376221d222ad0d339b18a38924fb9c05f3bf0ee741e1d3af376bbf24c9dfcf53 |
C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\2e448c667bcf8ad88fe4348710d16538_JaffaCakes118.exe
| MD5 | 2e448c667bcf8ad88fe4348710d16538 |
| SHA1 | 8064fbca3b789366511fb3c87a9582e43b349e88 |
| SHA256 | 4d3341852934062b81cc8c0f6c3b1b0c76594998b1ef74a31caf79382790c1eb |
| SHA512 | e24360da0a24d0ef56d67a1601d1909e925e2b9c519be08fecf535db3ea14ecd8441596991f02b953858d6c2525fa900ed34f9bd44bac308212346101cf584d4 |
C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\_ISMSIDEL.INI
| MD5 | 4f5fa1a0a56656296d66c8bbd9e60a03 |
| SHA1 | e64a035924d52ecc9b127c8ca2f149e396f048c6 |
| SHA256 | 1422474bc3edd78ffc24c682e441674197f55cfe3da0af0c7b76f1e905faa382 |
| SHA512 | 6afaf1a38ce87c36ca53e8155ec91718fb483e6e5075b541bdab1cdf5060d6eaf7f5b84314b399f8a1178b9757ea762c25a2d2e38677c337448ef3a02ab9a1a7 |
C:\Users\Admin\AppData\Local\Temp\{3B15E32B-A8F1-46CE-A3AC-ECF1464390D2}\0x0411.ini
| MD5 | 76d722f8c2ba980e0f1ed27d09bb0da9 |
| SHA1 | 313c885aa60959817b1cd9923d6ea0a780cf540f |
| SHA256 | 01b8625a29db41e0a190c0634ef3ee4f0878d2b56c92a407018b97bdf4ed7e7d |
| SHA512 | e60d12477299892a93c596757c435f58b1818fd0b3cf154c822cd6f96249610cad7eb7e7f63fca563b401eab1296b4a7831377fb32c9437a3a506405e1b8a5f5 |