Analysis Overview
SHA256
cfaf57d9ec003548a67e238b83b43a8f665963bdca897e18890b82cc367c5f0e
Threat Level: Shows suspicious behavior
The file 802b6def10fcec61c933514d0ea879f5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 08:53
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 08:53
Reported
2024-05-29 08:56
Platform
win7-20240221-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IFinst27.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IFinst27.exe | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | C:\Windows\IFinst27.exe |
| PID 1964 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | C:\Windows\IFinst27.exe |
| PID 1964 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | C:\Windows\IFinst27.exe |
| PID 1964 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | C:\Windows\IFinst27.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe"
C:\Windows\IFinst27.exe
"C:\Windows\IFinst27.exe" -IC:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe
Network
Files
memory/1964-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1964-3-0x00000000003D0000-0x00000000003FB000-memory.dmp
C:\Windows\IFinst27.exe
| MD5 | 9c17bca3ef837bacded7e4299508e71d |
| SHA1 | 253c7e956ad6cb66e0e47e5d9a6a19d78e9c96e0 |
| SHA256 | 2405e5479aeb7d43d1362969b9c439e5931b8f900f9adfe0faaa986365415193 |
| SHA512 | 12c1c5dbdf763d6d361b9d412794b0d85b6134843114120b843f30db198a3a211e2c06eadd3ed25271b4cd06a7367df7dafc6b9b33b1bce479f3ad050caeb625 |
memory/1616-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1964-9-0x00000000003D0000-0x00000000003FB000-memory.dmp
memory/1964-8-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ifB47.tmp
| MD5 | 685dbe0f65c1c68721bfdd2b922ba22d |
| SHA1 | 7b0ed045ce0baa6ba0089d27cdf0306c05542762 |
| SHA256 | 73593e971c7a00dc7638b1e2c9427c1fbe8ae37f3c308d28d7f8b0ccfab27050 |
| SHA512 | 6d7d95073b14b336bfe9af9aafe2ee8c2e60e0a80fb1e0fa36b99c756d7d099b3a2d5e4276465fd5faa39592130af7e1539720bc8a5a5624b5171ddd1885ce8f |
memory/1616-39-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1964-41-0x00000000003D0000-0x00000000003FB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 08:53
Reported
2024-05-29 08:56
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IFinst27.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IFinst27.exe | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2356 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | C:\Windows\IFinst27.exe |
| PID 2356 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | C:\Windows\IFinst27.exe |
| PID 2356 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe | C:\Windows\IFinst27.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe"
C:\Windows\IFinst27.exe
"C:\Windows\IFinst27.exe" -IC:\Users\Admin\AppData\Local\Temp\802b6def10fcec61c933514d0ea879f5_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.179:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 179.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/2356-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\IFinst27.exe
| MD5 | 9c17bca3ef837bacded7e4299508e71d |
| SHA1 | 253c7e956ad6cb66e0e47e5d9a6a19d78e9c96e0 |
| SHA256 | 2405e5479aeb7d43d1362969b9c439e5931b8f900f9adfe0faaa986365415193 |
| SHA512 | 12c1c5dbdf763d6d361b9d412794b0d85b6134843114120b843f30db198a3a211e2c06eadd3ed25271b4cd06a7367df7dafc6b9b33b1bce479f3ad050caeb625 |
memory/2356-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3224-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_if567C.tmp
| MD5 | 685dbe0f65c1c68721bfdd2b922ba22d |
| SHA1 | 7b0ed045ce0baa6ba0089d27cdf0306c05542762 |
| SHA256 | 73593e971c7a00dc7638b1e2c9427c1fbe8ae37f3c308d28d7f8b0ccfab27050 |
| SHA512 | 6d7d95073b14b336bfe9af9aafe2ee8c2e60e0a80fb1e0fa36b99c756d7d099b3a2d5e4276465fd5faa39592130af7e1539720bc8a5a5624b5171ddd1885ce8f |
memory/3224-35-0x0000000000400000-0x000000000042B000-memory.dmp