Analysis Overview
SHA256
7196d74bc1fefdbabd1ede86ecd8377a18506c19b2fe8e951f05d40472163faf
Threat Level: Known bad
The file 5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 23:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 23:16
Reported
2024-05-18 23:18
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
137s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1132 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe |
| PID 1132 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe |
| PID 1132 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1132 -ip 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1424
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsl888A.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 23:16
Reported
2024-05-18 23:18
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-18 23:16
Reported
2024-05-18 23:18
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
134s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3204 wrote to memory of 3368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3204 wrote to memory of 3368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3204 wrote to memory of 3368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3368 -ip 3368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 23:16
Reported
2024-05-18 23:18
Platform
win7-20240419-en
Max time kernel
142s
Max time network
119s
Command Line
Signatures
Gozi
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3012 set thread context of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5757ca615eb774a7f5f4d16777824ac6_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nso5449.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
memory/2784-7-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2784-8-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2784-9-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2784-13-0x00000000004C0000-0x000000000050A000-memory.dmp
memory/2784-20-0x00000000004C0000-0x000000000050A000-memory.dmp