Malware Analysis Report

2025-01-06 07:48

Sample ID 240530-qc92pahf3z
Target 843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118
SHA256 00f3bef82540ede53d17a4aa6e1131fa8c48086747b5bf108a69ed05cf2e162f
Tags
evasion trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

00f3bef82540ede53d17a4aa6e1131fa8c48086747b5bf108a69ed05cf2e162f

Threat Level: Shows suspicious behavior

The file 843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion trojan

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 13:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 13:08

Reported

2024-05-30 13:10

Platform

win7-20240220-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000928a52db8e045d4fb8ed3f5faa5280af00000000020000000000106600000001000020000000ebf83378f4c5aee3b74590c3c89898ddaa76668aa94db81aae521d118620fb14000000000e800000000200002000000053c8d2e59b8741ca9068d11967d51d1e79f01b32f7114986709e17822b089c0620000000f63aa00ce179c7c480477da8ee5ab41d0c3d8557d38d577223fc8bb948e5591d400000008aa0e7266a478e7c1973caf5418a1959252f5bf37cd5878bde3e02fd3d3d3f99f989c738ca97b4178645689b59580d0e394f8a7e2d2d75e9146ae7d66abc2d2b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423236363" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e5a88192b2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000928a52db8e045d4fb8ed3f5faa5280af000000000200000000001066000000010000200000002f639dcf22a199cbb262c50d88a0b24c0368eeb6b85043550254cac99f76ab5f000000000e80000000020000200000005838c4f8d4e879021d0b542995b635299bcd9b9e3ae72205fa75e52f12b6bec490000000529ad406936a11a414b5716a5ed4dd97579d7931110bb87e81514b6318a19c7a8a42abfddf271f35897e9ad06540cab20c06abb2c4a0d979b10540a80c4f8e62f5389717cb62fe63d02373a55d0af98e4996c27b3cc2a7a6b8bd2efc29cd639526425297bfdfb086cd3e96f7c39ddc92cb52695a2ecfb4604417c78b37b6433d37b0981afdc49218fed1b2bfb315a47b400000009f9ca1b33a6870358f1d1f6b1691136b76ed079cd2be3a3eadfaab3122432a2f2cf6080b2798b69a559f8d3b27e22f41a6aeb12a87635911414b4e58de51b69e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ACD95A81-1E85-11EF-831B-46E11F8BECEB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.regnow.com/softsell/visitor.cgi?affiliate=36566&action=site&vendor=15737&ref=http://d0.fenomen-games.com/files/lostinreefs.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.fenomen-games.com udp
US 8.8.8.8:53 www.regnow.com udp
US 45.60.33.126:80 www.regnow.com tcp
US 159.65.253.100:80 www.fenomen-games.com tcp
US 8.8.8.8:53 www.regnow.com udp
US 8.8.8.8:53 www.regnow.com udp
US 45.60.33.126:80 www.regnow.com tcp
US 45.60.33.126:80 www.regnow.com tcp
US 45.60.33.126:443 www.regnow.com tcp
US 45.60.33.126:443 www.regnow.com tcp
US 45.60.33.126:443 www.regnow.com tcp
US 45.60.33.126:443 www.regnow.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3036-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FG.url

MD5 0fcf82b5a915470e8a79d3516f582a36
SHA1 75f81b41607905b231521243129aff3554a58db0
SHA256 076264d4f165cef82f0cb07f6795f1d5ffa74741a943fca42cdeac65823bcae4
SHA512 adf69ec56756fe672677b039cb44bb13fc3adfac569f5ea4eda4e7b35de5ebe0229c5825ca8337aa2c623a773bdf775ddd3689e9fae03a7af1f694576d954293

C:\Users\Admin\AppData\Local\Temp\Cab3B7C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar3C6E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 432364f47a61499cad142743cfd45cf6
SHA1 a3a1385100f6d4b32c490fb3d2c976d7a3a2e936
SHA256 ef47f9ec134039d66da71b7477617054917fb3176e70aac92a1fa6e3ef3f6630
SHA512 c914c7c9dbc2c2fbc3c798b4017a499f67042a09c299736eab86eb0b22941e6362738ede8a18e61f53eba7834f33dcb428a442af07e782a9e4bce330cb8781cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08e9e39fcbf96b9f0e1b55b09c71b66a
SHA1 913879da55ca91a6c438423d1b5147d33d110510
SHA256 18151348bcd728b9a52584c448dbc6ef8f29367639f88853fabe58ecb64370e5
SHA512 09a538c2fb60622f7929906e308035d3e87f53932a1d062eebb463f210dbff2f2eac4c8d7e22e94e4d9ad0bdd78318bd6af527c7a77cc595a3fd8d8c6c09d7b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc912e02fdd41d59c224a2d510968685
SHA1 81a9162949519484a226f59c6f038c2080b20501
SHA256 6a302c5d2c3ef7145f34928be571bcb62181c1e21ca95cd1c222bb7b2d58fd91
SHA512 fb06d4216bbf3e6aeb2cc90e3ffa37f3ed560078e57d7f71e7060b871f809889d572efcb9da5d5dbeb47db55c8b24781a0fbea56e063ba86cef79d6dc583cfea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3127607d392e49a1adde26bef3779f8b
SHA1 a1a2b02925c5a02aa018fe1beca8a742af27494e
SHA256 f0a01c57f6d1631b07b91e89d8b1c8a65c3a8dab2a0348b98051759ffafe1584
SHA512 8fd231d6a506087bf768a615a72fde114ba5a86659b6fb70e472d279761d81ff8bee997a253fb4b4d8446a3d96d109e1cf84af7d880bded220a6ec57dac70205

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 899e13da549b11543b0d8830a66dab28
SHA1 f0b9b6a86df758f0eed46abe54d2676d0bb2c3b7
SHA256 0d96ffee1295bb7d20df6fa3d6fd575ca5dc0902b6093af139f864bcf48a9126
SHA512 57e4a4e110bd0708d95a9c76884c44e7231a283be5632bf9f310c018573ce34e206b6e29d63c4a93657a69a4ec1a31d1bafba3a06f3801715f9d37ea5ea768b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d97377d0b3f5d71c507db77d6bc2ca13
SHA1 78daab70a8d7af66d63aeb33c30da4a47cffc47f
SHA256 432d409fb51efa05cb9d305140cadef7186ad78ce0fe424050a82a9b17058499
SHA512 f2edd6e91c90eec0bc7daac97e826187e0b72116a6f3a7ff2e1e789624def0dc8a4141fcaaa62d7c30034adc7c1ba03c273ac3f60fdbc49b2818d582f0e89db3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31e4c642025c3923fedf35a7d3f724ed
SHA1 a1af0bb5507ae0a3ddf115083523eea5453ea1ac
SHA256 208488273f4d4908e890a6884d1773b67656cbf24b71be6fc5a2fb70df310d1c
SHA512 a9a055f07fb7327576fe299e6ce1f604226eaf8b85b8d13121333ac77065c383347033956097ecca058db1f927aa4ce0d0d6aae1cee74bb31d103d6b3b65da1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93952e2760ee552a3ec05224611ad8af
SHA1 1e578708400c7cf3618cf9a483d3bebb7847dfb6
SHA256 1ad25c43a97966a3a26bf5d6c435801f533279b709afbfb5eabaf65fd228fb49
SHA512 e7ee88cc94f99c4d45ceb807f5186b96318258527e61804691de7f3789fc65844bf9f8eb81d5ed0953d6b3db1a249ff460d5e1a227b3069cd3f3af63088d45b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44c90dc7cbb237ff49a8f29be585bc18
SHA1 d7b17d7b320a67bf05c6b90fc9059cb6653fb9a8
SHA256 8c9e2a50ee6e616a9c98da92539b702e497c56a09f494fccb9aedd70d7394c15
SHA512 5d087bc66dda4a6385d6652ea44caced6951d1aa9f31f2ad404bcfb7f43f5d61b02f78a7998e8222344918f95ba18e327df9c4b1d438050e829ce413c0aa1dfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ba71a83ab0f28925f59fb9de85f8fbc
SHA1 803f2e7d1c018d3d00752188a386fef4c96b45d4
SHA256 35c8b103024b39f75bf9d8de6ccc2a15e4da9be141f8ad7078775d4e879ac49e
SHA512 8e16abe3c8f46df3ece10fbb179911b8f438d37a1a89ca94d26fc956888360c102975da1216abdb70ac75cfe96285f22107ff035e3ae3d59638463600012ada0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f08dcce33047223b648b7f952fadea2
SHA1 c87c87b695158cc4e7ded912d2228b23351ae92b
SHA256 afe1034c2ef649c2d8539c8119fbf05b0c215d9a26a077af3f4264992ca64b63
SHA512 d2e438c16b47795d86386b7c0d629a7fc563c01dea24698bb76b01a5b00a3082c73fc0da730ac95a62b7972c62c62331aae662eee52c68472ae00ceebc671dd7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d07e0d0d90c15ab78166a69d426fa699
SHA1 a441dcd0eda4cd213109d625d20334432eb5a6c8
SHA256 e9ac2713f658a88ae713ac132a8221780ef0e486ea20ba4aa52eb319e98ec0f0
SHA512 a74339dad7dc94c1f48368beec87c7199617666c96d487250e5521577956bd23c1f6ee12d7b0821369d5952a7021698e2c761840fa13cc4e663b64927ab33dd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df1b28929b8ed3bafd5decb11b282e1b
SHA1 013dc292cd7f2c2e29e77a348f03612ac936f21c
SHA256 a5db982ebbf903ffcf7c382968c6739d2e3bff5ed1a608521429f58c6aa90150
SHA512 a5290fabbbcadeea35bd896b7f146bdb13c001657de2270d377f43f44fd2cc1aba05453a0680697d450bcb1aa1f72c77c739218362f7cfd1017c19cdfb7629fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7985c78ca62289028ff2df91c89730ce
SHA1 0014b746fb018164777b0eb74371a2df8c7c1d1a
SHA256 4d53d548014e67bd53e33ec588bc844a0a12c563dddb6ffe71bc39e37e663951
SHA512 261a6ff8855376f90bf892d6e059ccc2a945c569aa24646288cc83c9c83058852686915941d68f4e2934a24ed79641a002865f27dc1adee1ecdd209b4d09ede8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b3967baf1c195e5d2f534fea23b53ae
SHA1 28881bbb9a16f7023fdfa0a53857e59697d9c9ce
SHA256 c99388991b41326891443333a72d78468fcb9cd7a52ec7d31a00173293b4154a
SHA512 3c75cf7430455a799cc1a421556ce95c2880fe5a9118e3b55a13424ec781f6e40a1f0baa6a9a9d0982f58cf6ae87b3704c3bdf5109aed78c5c280b853e6ba290

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 216a87cade1d4e2d385385eb305efe2e
SHA1 079d693bf1a7714e1db61a4b6e3822f0be4ef629
SHA256 ca639a4cf63a43800df34034cef969d05406c363986a2bec9b769d8a4b467fd9
SHA512 a506548b42ea8f00ce55ca7716895da56ba74ade9517e234985345af074ac41ab1f2bf1c77b20974996be3f65d95ddfaa731ba2df8a3c810de860ce2b8393c44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8e99dd070198731db88a9f4dd2e22c1
SHA1 16bd46be2ca9b4239b7699c539f2c57860fb880f
SHA256 da4514948ab62bb45b7ebf89d87e9d444fcc590dfb055dbf39125d89bfa42ffa
SHA512 483c5ee110b3c1315ef4a23d41db19ea168b0f383b36cec66f7615b48c3e30168cb525e6deacb6a54d9c7ea5195f34041542396d6bd6eac0c1c4be2b89255df6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4953632f92430da537ce573cd3104148
SHA1 b80685e36568544206ef2afb37bb42d91cca6a81
SHA256 734565d8495b5d9efd1b911e094e915817e6b1ac8de91bdccd53e5f4290c4776
SHA512 63375908ac26eecd191ff58c46b9a18320d71f8c909bb804215f2254151fae9b2dc4ad137e2eb67b0efcd4ff9afe9ff10eb1c6081fafed47313a46ce623ebb85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f488bfcb9272281ba6e9977874b13ae6
SHA1 14a90639774dac3b536f57660ad1dca09edfa979
SHA256 08abcdb79d162013903d8409534eb900e48c54f7d6895c211e9246c1e78ca6da
SHA512 11f314ada49bb90a7a259b94191c43f122b7fd52ceb158c41ae69965e08f8a708c5ee0e34a66b3e4570769b647ba381f6cb813ec5791fc3052f5a2f15dd28142

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad2347be8f7e9450b6c69f550c71dd3c
SHA1 7b1723f8d20c7f2f3351b44d88d61d95fe40b863
SHA256 61a0507c6196885a4e604aef72955f5e4f45ab2271fa0066b11b1e10824d1a7f
SHA512 d8706fe432e2ba34efc459d3bb82f2f5bfcd19e5598856149912f28da726de3fd32b1b8043c44df4ccd0e6b1b18167ec4709ef5f6486f25b868c7f3b373007e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 13:08

Reported

2024-05-30 13:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\843ff6c878eeaba4d3c5a79f9486a028_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.fenomen-games.com udp
US 159.65.253.100:80 www.fenomen-games.com tcp
US 8.8.8.8:53 www.regnow.com udp
US 45.60.33.126:80 www.regnow.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 100.253.65.159.in-addr.arpa udp
US 8.8.8.8:53 126.33.60.45.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 20.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4580-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FG.url

MD5 b32e479bd009ed83990c9673269a8679
SHA1 c90602796792d73b8e14df593d28c88639957537
SHA256 4da0710275fe2edc624ceae921dfed794450221c88daaac73467fc885cff1a3b
SHA512 d29415020d7ddc493ac36ad2351414523f9804f3031a50c6bfded58d8b9a83f13877ae73571e9dcc50eedd7014230196313dfab8618e587e118ae6ba4d94db12