Analysis Overview
SHA256
23aa88fe694bb25d999afd991a0c712695bf8abe48ed4353f317436691270b0e
Threat Level: Shows suspicious behavior
The file 8cefdf73de8d64c112c99a63899ef219_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 04:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 04:52
Reported
2024-06-02 04:55
Platform
win7-20240221-en
Max time kernel
147s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp
C:\Users\Admin\AppData\Local\Temp\INSA4E7.tmp /SL3 $80120 C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe 1828395 1831809 61952
Network
Files
\Users\Admin\AppData\Local\Temp\INSA4E7.tmp
| MD5 | ef80f42a048f92263f758f14b09fa30d |
| SHA1 | e250058636dee689d6a935d71c0f462e10457239 |
| SHA256 | a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e |
| SHA512 | 933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed |
\Users\Admin\AppData\Local\Temp\is-TK4DL.tmp\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1284-11-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2836-12-0x0000000000400000-0x000000000046A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 04:52
Reported
2024-06-02 04:55
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp |
| PID 2004 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp |
| PID 2004 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp
C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp /SL3 $8020C C:\Users\Admin\AppData\Local\Temp\8cefdf73de8d64c112c99a63899ef219_JaffaCakes118.exe 1828395 1831809 61952
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\INSF1A3.tmp
| MD5 | ef80f42a048f92263f758f14b09fa30d |
| SHA1 | e250058636dee689d6a935d71c0f462e10457239 |
| SHA256 | a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e |
| SHA512 | 933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed |
memory/3988-7-0x0000000000630000-0x0000000000631000-memory.dmp
memory/2004-8-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3988-9-0x0000000000400000-0x000000000046A000-memory.dmp
memory/3988-13-0x0000000000630000-0x0000000000631000-memory.dmp