Analysis Overview
SHA256
611434b69ac665d2dd87a84f27534ff3911529c88d140498b0cae217d848c248
Threat Level: Shows suspicious behavior
The file 8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 18:26
Reported
2024-06-01 18:29
Platform
win7-20240419-en
Max time kernel
147s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-059PK.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-059PK.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-059PK.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-059PK.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp" /SL5="$80122,12916863,95232,C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe"
Network
Files
memory/1148-2-0x0000000000401000-0x000000000040C000-memory.dmp
memory/1148-0-0x0000000000400000-0x000000000041E000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-059PK.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp
| MD5 | 7acaaba4c7d7f272e4b2b57bfda84db8 |
| SHA1 | 41c734d53b9ab1d34931e542ff837870cb0ef931 |
| SHA256 | f8e70f25e8b9f49ee6ac0874ec27749f80fabaf73980e7629ea193329b903499 |
| SHA512 | de9c89b60ed9f049233e9513b21e342edf27e7c797b0264df9d1fef61792d9f8b4b3ca39b6850196ea6bdb0dad7b6bf6606d3d078489462c5de67c0a48703603 |
memory/2220-8-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/1148-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2220-11-0x0000000000400000-0x00000000004C7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 18:26
Reported
2024-06-01 18:29
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
96s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-U3E9E.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4356 wrote to memory of 6016 | N/A | C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-U3E9E.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp |
| PID 4356 wrote to memory of 6016 | N/A | C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-U3E9E.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp |
| PID 4356 wrote to memory of 6016 | N/A | C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-U3E9E.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-U3E9E.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U3E9E.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp" /SL5="$50220,12916863,95232,C:\Users\Admin\AppData\Local\Temp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4356-0-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4356-2-0x0000000000401000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-U3E9E.tmp\8b5b7d805218a6e2b4cc2f6e577baeb5_JaffaCakes118.tmp
| MD5 | 7acaaba4c7d7f272e4b2b57bfda84db8 |
| SHA1 | 41c734d53b9ab1d34931e542ff837870cb0ef931 |
| SHA256 | f8e70f25e8b9f49ee6ac0874ec27749f80fabaf73980e7629ea193329b903499 |
| SHA512 | de9c89b60ed9f049233e9513b21e342edf27e7c797b0264df9d1fef61792d9f8b4b3ca39b6850196ea6bdb0dad7b6bf6606d3d078489462c5de67c0a48703603 |
memory/6016-7-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/4356-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/6016-9-0x0000000000400000-0x00000000004C7000-memory.dmp