Analysis Overview
SHA256
80feb42e2708723f74e2a1182d911b77e231c17f437b0bd81f1db3e6a2f5f5e0
Threat Level: Shows suspicious behavior
The file 9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 09:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 09:35
Reported
2024-06-11 09:37
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 616 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe |
| PID 616 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe |
| PID 616 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe |
| PID 616 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe
| MD5 | a6c60307a0cb6d47c907e8dcd9754288 |
| SHA1 | ed7ffde3316fb7b339e285a03b5d808e3e4815a3 |
| SHA256 | b44fc8ed401badcb190963aed0afcfdc2a2f01b9256a6002485ecaeb15a6c156 |
| SHA512 | 3d4f278fd53164963564c9dc292199f23ba6d44428b35a0ba2e88f62d6de8090ccf2fe502c21125e8250febd2e8670bc89e156a5bfbe64b3e0c744bbd791d5e9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe.config
| MD5 | b27d6f3bc5c260039dfbbc04e44df551 |
| SHA1 | e8f26a7311a5d36a78aa1b8fbfa56628a5f7e9aa |
| SHA256 | 26e734571c8e9785dd123a0fbee1a1591635492b087f0626cd37f7bd02ddb577 |
| SHA512 | 73a1a2e05b23106988dce5e136840eeb05bd56ac67133c247f0f123ff98e4fec62f416a09e1456c5f256a80b901e6c25690e83dfe4ba2ce8e7ef0a593d1b5d9c |
memory/2168-8-0x000007FEF53EE000-0x000007FEF53EF000-memory.dmp
memory/2168-10-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2168-11-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2168-12-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2168-13-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2168-14-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2168-15-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2168-16-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 09:35
Reported
2024-06-11 09:37
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3172 wrote to memory of 208 | N/A | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe |
| PID 3172 wrote to memory of 208 | N/A | C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9db9d3e5c92bc1e031f8b491a688cd24_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe
| MD5 | a6c60307a0cb6d47c907e8dcd9754288 |
| SHA1 | ed7ffde3316fb7b339e285a03b5d808e3e4815a3 |
| SHA256 | b44fc8ed401badcb190963aed0afcfdc2a2f01b9256a6002485ecaeb15a6c156 |
| SHA512 | 3d4f278fd53164963564c9dc292199f23ba6d44428b35a0ba2e88f62d6de8090ccf2fe502c21125e8250febd2e8670bc89e156a5bfbe64b3e0c744bbd791d5e9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iPack Builder v2.0.exe.config
| MD5 | b27d6f3bc5c260039dfbbc04e44df551 |
| SHA1 | e8f26a7311a5d36a78aa1b8fbfa56628a5f7e9aa |
| SHA256 | 26e734571c8e9785dd123a0fbee1a1591635492b087f0626cd37f7bd02ddb577 |
| SHA512 | 73a1a2e05b23106988dce5e136840eeb05bd56ac67133c247f0f123ff98e4fec62f416a09e1456c5f256a80b901e6c25690e83dfe4ba2ce8e7ef0a593d1b5d9c |
memory/208-8-0x000000001B840000-0x000000001B8E6000-memory.dmp
memory/208-9-0x00007FF801485000-0x00007FF801486000-memory.dmp
memory/208-10-0x000000001BDC0000-0x000000001C28E000-memory.dmp
memory/208-11-0x000000001C3C0000-0x000000001C45C000-memory.dmp
memory/208-12-0x000000001B730000-0x000000001B738000-memory.dmp
memory/208-13-0x000000001C620000-0x000000001C66C000-memory.dmp
memory/208-14-0x00007FF8011D0000-0x00007FF801B71000-memory.dmp
memory/208-15-0x00007FF8011D0000-0x00007FF801B71000-memory.dmp
memory/208-16-0x00007FF8011D0000-0x00007FF801B71000-memory.dmp
memory/208-17-0x00007FF8011D0000-0x00007FF801B71000-memory.dmp
memory/208-18-0x00007FF801485000-0x00007FF801486000-memory.dmp
memory/208-19-0x00007FF8011D0000-0x00007FF801B71000-memory.dmp
memory/208-20-0x00007FF8011D0000-0x00007FF801B71000-memory.dmp