Analysis Overview
SHA256
1435200df894375b442850775293e22d5d324c0ff2221de767f6244f0479edc6
Threat Level: Shows suspicious behavior
The file a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 15:37
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 15:37
Reported
2024-06-12 15:39
Platform
win7-20240419-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | assets.airinstaller.com | udp |
Files
memory/1824-0-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-1-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-2-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-3-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-4-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-5-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-6-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-8-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-9-0x0000000001050000-0x00000000012C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HIKvix5Fdw\intro_page.html
| MD5 | 6eb05dd8dac412dde3c7c4c77fa795c2 |
| SHA1 | 4a394aed261ac257c6def15e3b199bbdef869c4d |
| SHA256 | 14bac8532e27adf9f8a0645e953b6dbddbeffe0836de6ee53bedb4d6c3a8799e |
| SHA512 | 558e994205bd1a96c74d116e79f474b6ffd44f29545276fa122275d4c6c0bc24706e842ea6ebe729fcfd44a9fe5c01a3984dc75d94fddde8678520605395fc50 |
memory/1824-29-0x0000000001050000-0x00000000012C6000-memory.dmp
memory/1824-30-0x0000000001050000-0x00000000012C6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 15:37
Reported
2024-06-12 15:39
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a12d9793259aa5cc3671b7a4fe48563d_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2652 -ip 2652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1060
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trk.airinstaller.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
Files
memory/2652-0-0x0000000000C70000-0x0000000000EE6000-memory.dmp
memory/2652-2-0x0000000000C70000-0x0000000000EE6000-memory.dmp