Analysis Overview
SHA256
1049f359c092c5ac01487f8d7a52f9bf3f16e3dbbad0ee686a5602fcdfde1eb7
Threat Level: Shows suspicious behavior
The file 9c8f02e6dae671ff523382f861905355_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Enumerates physical storage devices
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 01:21
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 01:21
Reported
2024-06-11 01:23
Platform
win7-20240221-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | assets.airinstaller.com | udp |
Files
memory/2752-0-0x00000000009A0000-0x0000000000C07000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E6KECTPgE2\intro_page.html
| MD5 | 60995d04e55f8d138cf5183e95942906 |
| SHA1 | d90f51dd6705b94d7d3915dad623f61a7654a410 |
| SHA256 | 05b3464493d500473e1370aafd8c0b8db1678bd38353237141997607caf5c132 |
| SHA512 | 3886ba8025d96b3ba1522def75b997aec503505c14ec3364bba93fa8a5509c792b44bc67a9afbfcc4af9047bad69ae7c9dfd61ec094079cf7ddf3838704af871 |
memory/2752-20-0x00000000009A0000-0x0000000000C07000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 01:21
Reported
2024-06-11 01:23
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
94s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c8f02e6dae671ff523382f861905355_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | assets.airinstaller.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3304-0-0x0000000000A70000-0x0000000000CD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4WxucToKJ0\intro_page.html
| MD5 | 60995d04e55f8d138cf5183e95942906 |
| SHA1 | d90f51dd6705b94d7d3915dad623f61a7654a410 |
| SHA256 | 05b3464493d500473e1370aafd8c0b8db1678bd38353237141997607caf5c132 |
| SHA512 | 3886ba8025d96b3ba1522def75b997aec503505c14ec3364bba93fa8a5509c792b44bc67a9afbfcc4af9047bad69ae7c9dfd61ec094079cf7ddf3838704af871 |
memory/3304-8-0x0000000000A70000-0x0000000000CD7000-memory.dmp