Analysis Overview
SHA256
524233df22b5be7d949d962ee13011113d24978ff6ca5ca6dcc05cfa2fa8f75c
Threat Level: Shows suspicious behavior
The file 895b93515b3798e4567e50fda270ae04_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 04:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 04:25
Reported
2024-06-01 04:27
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalLow\cookieman.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe"
C:\Users\Admin\AppData\LocalLow\cookieman.exe
"C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read 1-vinstaller.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1-vinstaller.com | udp |
| US | 172.120.151.124:80 | 1-vinstaller.com | tcp |
| US | 172.120.151.124:80 | 1-vinstaller.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\cookieman.exe
| MD5 | 159fa93d571585d6f50206447e8bf7b7 |
| SHA1 | a21d571e777f5f70026180ea8f5169fe576af8c0 |
| SHA256 | 01b7f78fa31081cc2b75225cb5720fbae4d3a47a7d4d097673beadd9abf967fd |
| SHA512 | 7d625268e65ef91ffdedceca411dcff3df4b8bf738a9bbac019c34e3e734221f3a6444229f0a3afc6c682693ecef25b1795779187a01a3a7c96e446fc96d74c1 |
C:\Users\Admin\AppData\LocalLow\cookie.ini
| MD5 | 3f4519b56cb1e006dfe4341e72112913 |
| SHA1 | 0ff5675d359c898b6a6bdc1dff10f71097bc9927 |
| SHA256 | 125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2 |
| SHA512 | 78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40 |
C:\Users\Admin\AppData\Local\Temp\qs_419191e30\config.xml
| MD5 | a4314c3565d400d9a0798c655f910147 |
| SHA1 | 3c677e37b2e9ec52fd8da3463cd2ddcf0f2e3670 |
| SHA256 | a36cc1a1319a0b44d969a449d3c4ce64e93653fa0d668e34e1dbc498e52cf7c1 |
| SHA512 | 1896758418433806f2ca0c6bfd7cf35a7f20a9ec678c04107928d9b2858bf092f9213b234d8333d2c15da76cf3e4706ca52cdc01d12c2b0fd90e27b26ab3f998 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 04:25
Reported
2024-06-01 04:28
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
100s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\LocalLow\cookieman.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\895b93515b3798e4567e50fda270ae04_JaffaCakes118.exe"
C:\Users\Admin\AppData\LocalLow\cookieman.exe
"C:\Users\Admin\AppData\LocalLow\cookieman.exe" /mode=read 1-vinstaller.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1-vinstaller.com | udp |
| US | 172.120.151.124:80 | 1-vinstaller.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.151.120.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 172.120.151.124:80 | 1-vinstaller.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\cookieman.exe
| MD5 | 159fa93d571585d6f50206447e8bf7b7 |
| SHA1 | a21d571e777f5f70026180ea8f5169fe576af8c0 |
| SHA256 | 01b7f78fa31081cc2b75225cb5720fbae4d3a47a7d4d097673beadd9abf967fd |
| SHA512 | 7d625268e65ef91ffdedceca411dcff3df4b8bf738a9bbac019c34e3e734221f3a6444229f0a3afc6c682693ecef25b1795779187a01a3a7c96e446fc96d74c1 |
C:\Users\Admin\AppData\LocalLow\cookie.ini
| MD5 | 3f4519b56cb1e006dfe4341e72112913 |
| SHA1 | 0ff5675d359c898b6a6bdc1dff10f71097bc9927 |
| SHA256 | 125adf4924899f2026436c0919853bb78b718c7cb6f2187148b01938b79388a2 |
| SHA512 | 78c0961f0828f32032c643f0e6ab59d1ca8b96bb891a74b0b255e1a1a63a0c581f486e9e16b070399e6365d1fb53464eb2b723932480b41a2df5e9f1eb89ab40 |
C:\Users\Admin\AppData\Local\Temp\qs_4191f15a0\config.xml
| MD5 | a4314c3565d400d9a0798c655f910147 |
| SHA1 | 3c677e37b2e9ec52fd8da3463cd2ddcf0f2e3670 |
| SHA256 | a36cc1a1319a0b44d969a449d3c4ce64e93653fa0d668e34e1dbc498e52cf7c1 |
| SHA512 | 1896758418433806f2ca0c6bfd7cf35a7f20a9ec678c04107928d9b2858bf092f9213b234d8333d2c15da76cf3e4706ca52cdc01d12c2b0fd90e27b26ab3f998 |