Analysis Overview
SHA256
e38b747e4471c735595380e305ef129d9fe30fc1553a3b57f8fead90103b70a9
Threat Level: Shows suspicious behavior
The file 7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
AutoIT Executable
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 10:42
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 10:42
Reported
2024-05-26 10:44
Platform
win7-20231129-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1848 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1848 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1848 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1848 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\s.cmd
Network
Files
memory/1848-0-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s.cmd
| MD5 | aa97b8f1eecbedbbc6334656c67e2d85 |
| SHA1 | 599445599703a24e0961760e6af6583f07098e16 |
| SHA256 | a6d52cd8385ea24bc623a26fea989f59def21e3695cc3dbe4b6a5045547e46cd |
| SHA512 | 8f94b67bed2d71f35600faedbd5e82c428f246df5df29e0c765e2a53b255a1df0d4bf72c69915959ce4ea244898b3d098898bd6f09670b4f457c775ea737aa05 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 10:42
Reported
2024-05-26 10:44
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
151s
Command Line
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3992 wrote to memory of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3992 wrote to memory of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3992 wrote to memory of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7537489da01bea89ffa97bfbc4b2ff2d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\s.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3992-0-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s.cmd
| MD5 | aa97b8f1eecbedbbc6334656c67e2d85 |
| SHA1 | 599445599703a24e0961760e6af6583f07098e16 |
| SHA256 | a6d52cd8385ea24bc623a26fea989f59def21e3695cc3dbe4b6a5045547e46cd |
| SHA512 | 8f94b67bed2d71f35600faedbd5e82c428f246df5df29e0c765e2a53b255a1df0d4bf72c69915959ce4ea244898b3d098898bd6f09670b4f457c775ea737aa05 |