Analysis Overview
SHA256
8df9b797d715806c7025589ba233f95d5a08e1c59317a7cebc29d2e009e6fef2
Threat Level: Likely benign
The file a157c71bbf2010904d0ebf204997d559_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Checks computer location settings
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 16:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 16:32
Reported
2024-06-12 16:34
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\27967.bat" "C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\""
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | t8u4n6u7.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt
| MD5 | 22d101d09ee9c25b0c795449a03098c0 |
| SHA1 | 41a0fa393a5af805130787a443069c4c0f0581c4 |
| SHA256 | ab32295ad8528b009b1a9f45595c50c83b39b7324715d2207f6e10dcb8d0cca8 |
| SHA512 | d5b46a8e039c4025221b14d5406ae28546b95691f2287043acb59b2e3aef305b2d8245ef48eb3bf3dd90beae4edf78af6b17c5d57f357374c89ecebee090f4c6 |
C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt
| MD5 | 22fe874f55f0ade058f780de6d359cf5 |
| SHA1 | cbb6387d90a526f8ea2943898279c526615583d3 |
| SHA256 | a792147cc12ec10e3552bb9f51d4528dd420edeb26741e59c24d6542824ad63b |
| SHA512 | dddac60a2940c1068df87977746a44a1015ce23cde68912633a3b4d6ac6d2c368100a2b42835fef34b8fc9b11bff7be0f2257b2d6dcec277e4cb13aa62b42def |
C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt
| MD5 | 6441e1080c836c0c4978f5f30165919b |
| SHA1 | 2a365f8ff321967ac209067d58fe6a016b71feb8 |
| SHA256 | 363d4985ed51d11caaa3893aaedfdf274df0d4d67d0b56b5db96ecdc214a7ce2 |
| SHA512 | f708b6fd54e9b7e663c221bfb0297929009a96a2253303a774e3fea622a2388463c957954705a89a93dc70225ab525a0774235f11db949237318f068f259f08b |
memory/2176-63-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/2176-186-0x0000000000A00000-0x0000000000A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\27967.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F~1.TXT
| MD5 | 1565fb12aed65c905674f1532122889d |
| SHA1 | e72e6352cdebeadc305482217a4741282989b636 |
| SHA256 | e15929de85eae6f05b66b23f6062ca1ebb323067267a7d47d102d8ea3c0defa5 |
| SHA512 | 9f4d151ba20da5d4be38910cca31b841f397404bca52d01deaafe96ece9a8d8394e0de72235640e25fb357f72d7cc6e8fc845055a69c70fb90e7c391851036b4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 16:32
Reported
2024-06-12 16:34
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4564 wrote to memory of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4564 wrote to memory of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4564 wrote to memory of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2512 wrote to memory of 1120 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2512 wrote to memory of 1120 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2512 wrote to memory of 1120 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27967.bat" "C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\""
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9CA7CD6F4BA3BBEF8025E68A3B97_LogFile.txt
| MD5 | 8b228411d918d2c963ea216956fc98a4 |
| SHA1 | d27a45e43ce771f419f2728a19cdf84bb39e0c26 |
| SHA256 | 7cb571b83b173a714608c161bc7ad2ece07fcc884872755ca0fc744c6d55af80 |
| SHA512 | 5f8a5d4cf207d785c279afa05b0ab9de761a1ac733b1cf0ae1c3bc4bfd92f00306f3409aa4a8547322fa02ad1bda34c592153eff90876ea65bc6c0e08c962df1 |
C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9CA7CD6F4BA3BBEF8025E68A3B97_LogFile.txt
| MD5 | 078c3de8f40eab2f97da1fee31e90dc8 |
| SHA1 | 10785834dfb8ea962764a9c1f672944392fbfff0 |
| SHA256 | 43cedaadb016ba86a5ddfe5492859c1ad65d3c73fad13b2bfeeacf47053a5b02 |
| SHA512 | bb12b6835ec2854837f86163610538516cf3774a6e98f0c85bc4c3db8b861300af8c31a452e841d5d458f9e9940302f1ad06c48f39465a893b93d85a299319fc |
memory/4564-63-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
memory/4564-156-0x0000000003CE0000-0x0000000003CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\27967.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\20FE9CA7CD6F4BA3BBEF8025E68A3B97\20FE9C~1.TXT
| MD5 | 2327b6e86e16dd3ae8edd68e6296cb7d |
| SHA1 | 5f97fdc95ab75af67062cd4b54c24919aa1fd6b6 |
| SHA256 | 6b417f61ac10752bd6736b069022e961e62837d6d8b8042da1ecfb21abc0a54b |
| SHA512 | 2faf20f8a71c2418f8223baaeda75cdfc2d0cc895177c0a85ad115f4fd2fa335803868b6eaca12c2798f6d075215a8715f83bcfafc19b887415ba67422ff924e |