Analysis Overview
SHA256
12f84904d2b5289fadce4207bea971cb39cca70e6e91854d64644d79e8e845fa
Threat Level: Shows suspicious behavior
The file 91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 13:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 13:25
Reported
2024-06-03 13:28
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp |
| PID 1480 wrote to memory of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp |
| PID 1480 wrote to memory of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp" /SL5="$80182,4461876,52224,C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.hanzify.org | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/1480-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1480-3-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-FMSSG.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp
| MD5 | c37ef257e73cf99d88b4c0fd1052d642 |
| SHA1 | 1ffcd1abc27c0de01271fe3b537fa8dffd28da79 |
| SHA256 | c3674acca6f7347f48d1f282d95b9a98f95c20347b70adadc6ed8d13a772fbdd |
| SHA512 | 62b795de46640e194603375e0f654266a35a83ad7bbe06699b97997a85adc0c2040ee3e3fbf44d307449ebb56b22536c343e8af994a32fe1b711424dc0040af4 |
memory/1208-10-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-RM5FH.tmp\waterctrl.dll
| MD5 | 103dc3f98191df59da4aeae79a48ade1 |
| SHA1 | 78d6f1b8d1a02fd819a195a43d0cffd58d6162b1 |
| SHA256 | 9f10c567d614e7c360778128d011fd3735b675ac6642d8f777b0f267347f7467 |
| SHA512 | 33c4735975e5dcb43c6ecf56887370a076283d5ba5f6648343ed6ad0464ea95e5fc2c0f455587913e838aad149cf927b1d358d75af0ba8470e160bd5a0236089 |
memory/1480-19-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1208-20-0x0000000000400000-0x00000000004B4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 13:25
Reported
2024-06-03 13:28
Platform
win7-20240220-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp |
| PID 3036 wrote to memory of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp" /SL5="$30156,4461876,52224,C:\Users\Admin\AppData\Local\Temp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.hanzify.org | udp |
Files
memory/3036-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3036-2-0x0000000000401000-0x000000000040B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-OJQUN.tmp\91f1d818e344f125100e66b7f3e2c6b0_JaffaCakes118.tmp
| MD5 | c37ef257e73cf99d88b4c0fd1052d642 |
| SHA1 | 1ffcd1abc27c0de01271fe3b537fa8dffd28da79 |
| SHA256 | c3674acca6f7347f48d1f282d95b9a98f95c20347b70adadc6ed8d13a772fbdd |
| SHA512 | 62b795de46640e194603375e0f654266a35a83ad7bbe06699b97997a85adc0c2040ee3e3fbf44d307449ebb56b22536c343e8af994a32fe1b711424dc0040af4 |
memory/2888-9-0x0000000000400000-0x00000000004B4000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-I3U54.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-I3U54.tmp\waterctrl.dll
| MD5 | 103dc3f98191df59da4aeae79a48ade1 |
| SHA1 | 78d6f1b8d1a02fd819a195a43d0cffd58d6162b1 |
| SHA256 | 9f10c567d614e7c360778128d011fd3735b675ac6642d8f777b0f267347f7467 |
| SHA512 | 33c4735975e5dcb43c6ecf56887370a076283d5ba5f6648343ed6ad0464ea95e5fc2c0f455587913e838aad149cf927b1d358d75af0ba8470e160bd5a0236089 |
memory/3036-22-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2888-23-0x0000000000400000-0x00000000004B4000-memory.dmp