Analysis Overview
SHA256
6a8f024d789bf88bbdd2df901119496668d255634ef8d5ad1c335365ccacb33d
Threat Level: Shows suspicious behavior
The file a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 23:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 23:44
Reported
2024-06-12 23:46
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "41d77d4d370c489f1ddd15788519afe9" | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2398.35go.net | udp |
| CN | 221.194.141.154:80 | 2398.35go.net | tcp |
| CN | 221.194.141.155:80 | 2398.35go.net | tcp |
| CN | 218.12.76.156:80 | 2398.35go.net | tcp |
| CN | 218.12.76.159:80 | 2398.35go.net | tcp |
| US | 8.8.8.8:53 | infoc0.duba.net | udp |
| CN | 139.9.37.26:80 | infoc0.duba.net | tcp |
| CN | 139.9.43.12:80 | infoc0.duba.net | tcp |
| CN | 139.9.43.42:80 | infoc0.duba.net | tcp |
| CN | 139.9.44.129:80 | infoc0.duba.net | tcp |
| CN | 139.9.45.227:80 | infoc0.duba.net | tcp |
| CN | 121.37.247.153:80 | infoc0.duba.net | tcp |
| CN | 139.9.35.91:80 | infoc0.duba.net | tcp |
| CN | 139.9.36.107:80 | infoc0.duba.net | tcp |
| CN | 139.9.36.178:80 | infoc0.duba.net | tcp |
| US | 8.8.8.8:53 | dubacdn.cmcmcdn.com | udp |
| CN | 120.232.206.81:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 218.12.76.171:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 221.194.141.166:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 221.194.141.169:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 36.42.77.166:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 36.42.77.171:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 120.232.206.78:80 | dubacdn.cmcmcdn.com | tcp |
| US | 8.8.8.8:53 | dubacdn.cmcmcdn.com | udp |
| CN | 221.194.141.169:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 36.42.77.166:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 36.42.77.171:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 120.232.206.78:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 120.232.206.81:80 | dubacdn.cmcmcdn.com | tcp |
| CN | 218.12.76.171:80 | dubacdn.cmcmcdn.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 23:44
Reported
2024-06-12 23:46
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1" | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E} | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5} | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0} | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "4D8AD86D2D343720854157C80D68B214" | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "70c2d02e76531bbe703871ae61e59a88" | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2fc7f94fcd49756f43a5abb1618899a_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3908,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3128 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2398.35go.net | udp |
| US | 8.8.8.8:53 | infoc0.duba.net | udp |
| US | 8.8.8.8:53 | dubacdn.cmcmcdn.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\install_res\installconfig.ini
| MD5 | 555f2bd14b6d0eccf5b4cb912cc95eb5 |
| SHA1 | 82dd9efebb942a4a3884a2802e4bad63653dbeea |
| SHA256 | 2c4f4b92d9740340a59cf68325dec8b91832c3638f554b7316389247147db249 |
| SHA512 | a8f71c2d629c92805f50cf2607f23a8871ba8ec6c8e77d31d6dfe593ced1b56694092dcc3d03c5cbf16b31b70b6026b62f5292635270963e367a6538a6738182 |
memory/3644-14-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/3644-17-0x00000000008A0000-0x00000000008A1000-memory.dmp