Analysis Overview
SHA256
136a112cbbf08b157f9f6c68a0d7687800d1637d3bb21630ffdfa58331524eb5
Threat Level: Shows suspicious behavior
The file a2cf53d5780a776dcad7ca9689851d90_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Program crash
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 22:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win10v2004-20240611-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3952 wrote to memory of 2804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3952 wrote to memory of 2804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3952 wrote to memory of 2804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win7-20240508-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 1288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1288 -ip 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 612
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win7-20231129-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win7-20240221-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a2cf53d5780a776dcad7ca9689851d90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2cf53d5780a776dcad7ca9689851d90_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dtrack.sslsecure1.com | udp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst2C30.tmp\nsisdl.dll
| MD5 | 1dadb63a5dfaa0679485c5dbaf96033f |
| SHA1 | d1717aab683c55bd13bbd520d2a91178efa0d676 |
| SHA256 | 72c65f7cd4a611b077b1ad0be8185780909e9cb04c53ecdac3e17fc72c99b245 |
| SHA512 | 46535c2d96937d49ee7c222428db4a8d61eb346efa0845fcd88e06523ed7836518e5a72d623e9c5563bf6759b449b6d2fcb0340b98a6e7966027bc983db4f722 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe
"C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
Files
memory/1972-0-0x000007FEF630E000-0x000007FEF630F000-memory.dmp
memory/1972-1-0x0000000001DA0000-0x0000000001DE2000-memory.dmp
memory/1972-2-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp
memory/1972-3-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp
memory/1972-4-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp
memory/1972-5-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp
memory/1972-6-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp
memory/1972-8-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3104 -ip 3104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
Files
memory/2652-0-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp
memory/2652-1-0x0000000000980000-0x00000000009C2000-memory.dmp
memory/2652-2-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2652-3-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2652-4-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2652-5-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2652-6-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
memory/2652-8-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
148s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\$EXEFILE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| BE | 2.17.107.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 115.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/2604-0-0x00007FFBC06E5000-0x00007FFBC06E6000-memory.dmp
memory/2604-1-0x00007FFBC0430000-0x00007FFBC0DD1000-memory.dmp
memory/2604-2-0x0000000001670000-0x00000000016B2000-memory.dmp
memory/2604-3-0x000000001C090000-0x000000001C55E000-memory.dmp
memory/2604-4-0x00007FFBC0430000-0x00007FFBC0DD1000-memory.dmp
memory/2604-5-0x000000001C600000-0x000000001C69C000-memory.dmp
memory/2604-6-0x0000000001390000-0x0000000001398000-memory.dmp
memory/2604-7-0x00007FFBC0430000-0x00007FFBC0DD1000-memory.dmp
memory/2604-8-0x00007FFBC0430000-0x00007FFBC0DD1000-memory.dmp
memory/2604-9-0x00007FFBC0430000-0x00007FFBC0DD1000-memory.dmp
memory/2604-12-0x00007FFBC0430000-0x00007FFBC0DD1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a2cf53d5780a776dcad7ca9689851d90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2cf53d5780a776dcad7ca9689851d90_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dtrack.sslsecure1.com | udp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| IE | 52.111.236.22:443 | tcp | |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | dtrack.sslsecure1.com | tcp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nss41AD.tmp\nsisdl.dll
| MD5 | 1dadb63a5dfaa0679485c5dbaf96033f |
| SHA1 | d1717aab683c55bd13bbd520d2a91178efa0d676 |
| SHA256 | 72c65f7cd4a611b077b1ad0be8185780909e9cb04c53ecdac3e17fc72c99b245 |
| SHA512 | 46535c2d96937d49ee7c222428db4a8d61eb346efa0845fcd88e06523ed7836518e5a72d623e9c5563bf6759b449b6d2fcb0340b98a6e7966027bc983db4f722 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe
"C:\Users\Admin\AppData\Local\Temp\$EXEFILE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
| US | 8.8.8.8:53 | dtrack.secdls.com | udp |
Files
memory/3688-0-0x00007FFFBA4A5000-0x00007FFFBA4A6000-memory.dmp
memory/3688-1-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
memory/3688-2-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
memory/3688-3-0x0000000000FF0000-0x0000000001032000-memory.dmp
memory/3688-4-0x000000001BAA0000-0x000000001BF6E000-memory.dmp
memory/3688-5-0x000000001C010000-0x000000001C0AC000-memory.dmp
memory/3688-6-0x0000000000E70000-0x0000000000E78000-memory.dmp
memory/3688-7-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
memory/3688-8-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
memory/3688-9-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
memory/3688-10-0x00007FFFBA4A5000-0x00007FFFBA4A6000-memory.dmp
memory/3688-11-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
memory/3688-12-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
memory/3688-15-0x00007FFFBA1F0000-0x00007FFFBAB91000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-12 22:56
Reported
2024-06-12 22:59
Platform
win7-20240419-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1008 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1