Analysis Overview
SHA256
6546ac26f664708e688ae8dcf35b9acb75760b5d2177f55a98c8f8f66739079a
Threat Level: Shows suspicious behavior
The file 967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 22:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win7-20240508-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe
"C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | masterconn.qq.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | masterconn2.qq.com | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\dr.dll
| MD5 | 68a34245c650829c613e9068bdc6f79d |
| SHA1 | f877ad637c2097915ba894fdccb1a596a52a726e |
| SHA256 | c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf |
| SHA512 | 1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe |
C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\QMNetworkMgr.dll
| MD5 | 05dd1f39d102be0cb0be1da37dc8664b |
| SHA1 | 1375a2ddd6b61b408faf7d7a52e67d5d6f4d1aed |
| SHA256 | c390e551a8eb0deca95ae1f92003fcd1b610c5c7b27fe42d772b8f18c828f1a9 |
| SHA512 | d59e4a2d5d1d3a69bd3be4099018ab184dc1d7177f9c019737617530e3bd77858a4d01d7d2602579b38b6e4783c290a5acfa09b8af1e72537ba7ea0ddbde659d |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win7-20240508-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd1B5F.tmp\System.dll
| MD5 | b9f430f71c7144d8ff4ab94be2785aa6 |
| SHA1 | c5c1e153caff7ad1d221a9acc8bbb831f05ccb05 |
| SHA256 | b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655 |
| SHA512 | c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099 |
\Users\Admin\AppData\Local\Temp\nsd1B5F.tmp\SetupHelper.dll
| MD5 | e4df5c7f58d5e0ccbbe7a6e74fc449ad |
| SHA1 | d0c92b3b78cd5fa61ce51b770565aeb488610c43 |
| SHA256 | af55cbbbd681182226c5e854470a05ea8ec6242a30d28c61ce9c20b968088db8 |
| SHA512 | 5f7456f107df50809bd504e46cd4f5cc43764e683fb14dbcd03c1e6ab5ea5868c0279ed52c8aa5c1795e7928335b9ac07c31c228333dcd44dbb408f04ce2619d |
memory/1700-9-0x0000000002840000-0x00000000029AA000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4344 wrote to memory of 3700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 3700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 3700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 660
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4012 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4012 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4012 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2192 -ip 2192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe
"C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 183.62.104.184:8000 | udp | |
| US | 8.8.8.8:53 | masterconn.qq.com | udp |
| US | 8.8.8.8:53 | masterconn2.qq.com | udp |
| HK | 43.154.254.18:8000 | masterconn.qq.com | udp |
| US | 8.8.8.8:53 | c.pc.qq.com | udp |
| HK | 43.135.106.184:80 | c.pc.qq.com | tcp |
| HK | 43.135.106.184:443 | c.pc.qq.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\dr.dll
| MD5 | 68a34245c650829c613e9068bdc6f79d |
| SHA1 | f877ad637c2097915ba894fdccb1a596a52a726e |
| SHA256 | c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf |
| SHA512 | 1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe |
\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\QMNetworkMgr.dll
| MD5 | 05dd1f39d102be0cb0be1da37dc8664b |
| SHA1 | 1375a2ddd6b61b408faf7d7a52e67d5d6f4d1aed |
| SHA256 | c390e551a8eb0deca95ae1f92003fcd1b610c5c7b27fe42d772b8f18c828f1a9 |
| SHA512 | d59e4a2d5d1d3a69bd3be4099018ab184dc1d7177f9c019737617530e3bd77858a4d01d7d2602579b38b6e4783c290a5acfa09b8af1e72537ba7ea0ddbde659d |
\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10TipsCfg.dll
| MD5 | a2c8def8db67c09f9b7ff82edb2180df |
| SHA1 | 70aaa958041f7b638f1ba5d8f5fd646b9b159041 |
| SHA256 | fad5d20878ecc4f2c4762e69225d6f9dcca038789e999035fe0858d1d267d5d2 |
| SHA512 | 75f30c95bf6783e118452103a4816afcbcbde19add23d6af97d6abceee802585cb45cb70694a9c46b863649950dbdc379b975aa88fd6aaeeeb0faf7ec2807edb |
memory/1640-24-0x00000000007E0000-0x00000000007E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\appraiserxp.dll
| MD5 | 0a51cf7877b4cb63f821927d011e0237 |
| SHA1 | 41b32cf76ed2e49348b25261012b0a32ff6c2dee |
| SHA256 | 12b5c50c492f5bf9e74a4eb8a0748d6d204510f17cb262a03e3b22e57ca01dfb |
| SHA512 | 1a46f018a2dea49e6f383026dbfebfd6d585594460609380937c1f74f5d72bf3bef687eb790b7ecb25f16d1e08812b5cc1cdd04dac7865d10bb373a4d76c529a |
\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\xmllite.dll
| MD5 | aa90ae4a50124c0a82052209ec42330c |
| SHA1 | ccd555f322a7f12cd2900bd243c8096abb54d214 |
| SHA256 | ebed0790f95d9b8b901d0d27b836c9fd94698bbb025ad1d88eff97db68d64170 |
| SHA512 | 99412dd0fd7aa0ee4bd3c2855e9beaa63e12287ef65420ab20d00cae5c8dc72cdd0e64be7ea9a98e0e605a6b1dbcfb188dc8b3bb6dd2785e9c71cf63c5e2c64d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
100s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsc4C7C.tmp\System.dll
| MD5 | b9f430f71c7144d8ff4ab94be2785aa6 |
| SHA1 | c5c1e153caff7ad1d221a9acc8bbb831f05ccb05 |
| SHA256 | b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655 |
| SHA512 | c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099 |
C:\Users\Admin\AppData\Local\Temp\nsc4C7C.tmp\SetupHelper.dll
| MD5 | e4df5c7f58d5e0ccbbe7a6e74fc449ad |
| SHA1 | d0c92b3b78cd5fa61ce51b770565aeb488610c43 |
| SHA256 | af55cbbbd681182226c5e854470a05ea8ec6242a30d28c61ce9c20b968088db8 |
| SHA512 | 5f7456f107df50809bd504e46cd4f5cc43764e683fb14dbcd03c1e6ab5ea5868c0279ed52c8aa5c1795e7928335b9ac07c31c228333dcd44dbb408f04ce2619d |
memory/736-11-0x0000000003050000-0x00000000031BA000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-04 22:26
Reported
2024-06-04 22:28
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1