Analysis Overview
SHA256
35d9c4e4e9eb8867139f7dd501d3dab435649aafc232806706bcf28058176a27
Threat Level: Shows suspicious behavior
The file a13e41dad5d2bb181118b54cf966b505_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
UPX packed file
Adds Run key to start application
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 15:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 15:59
Reported
2024-06-12 16:01
Platform
win7-20240611-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2192 set thread context of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| JP | 202.179.227.230:80 | tcp | |
| US | 73.183.11.231:80 | tcp | |
| MD | 178.168.15.235:80 | tcp | |
| UA | 188.191.35.235:80 | tcp | |
| UA | 178.137.192.236:80 | tcp | |
| MD | 178.168.15.235:80 | tcp | |
| N/A | 127.0.0.1:49220 | tcp | |
| EE | 46.39.130.46:80 | tcp | |
| UA | 109.162.48.52:80 | tcp | |
| IN | 123.238.114.53:80 | tcp | |
| KG | 95.87.83.55:80 | tcp | |
| UA | 178.151.206.56:80 | tcp | |
| UA | 77.122.234.122:80 | tcp | |
| MD | 46.55.67.123:80 | tcp | |
| UA | 188.0.85.129:80 | tcp | |
| US | 198.45.137.129:80 | tcp | |
| RS | 188.2.124.130:80 | tcp | |
| BG | 95.87.9.11:80 | tcp | |
| KR | 211.38.200.15:80 | tcp | |
| MX | 201.175.110.16:80 | tcp | |
| UA | 94.76.78.20:80 | tcp | |
| US | 93.79.248.25:80 | tcp | |
| IT | 77.81.226.211:80 | tcp | |
| LV | 81.198.19.213:80 | tcp | |
| US | 98.204.204.215:80 | tcp | |
| FR | 37.19.150.222:80 | tcp | |
| PS | 86.107.19.225:80 | tcp | |
| RO | 5.13.84.192:80 | tcp | |
| AE | 94.203.214.200:80 | tcp | |
| UA | 93.180.249.200:80 | tcp | |
| US | 93.180.234.201:80 | tcp | |
| UA | 77.122.254.206:80 | tcp | |
| UA | 46.173.166.58:80 | tcp | |
| RU | 109.227.197.58:80 | tcp | |
| MD | 178.168.23.60:80 | tcp | |
| UA | 217.24.161.60:80 | tcp | |
| UA | 178.54.179.60:80 | tcp | |
| UA | 134.249.103.40:80 | tcp | |
| MD | 188.138.227.43:80 | tcp | |
| UA | 46.118.69.45:80 | tcp | |
| US | 176.117.90.62:80 | tcp | |
| TR | 195.174.81.63:80 | tcp |
Files
memory/2192-0-0x00000000003C0000-0x00000000003C4000-memory.dmp
memory/2416-1-0x00000000001B0000-0x00000000002AA000-memory.dmp
memory/2416-4-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-5-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-11-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-17-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-10-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-8-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-16-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-14-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2416-9-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-7-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-18-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-21-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-20-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-23-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-25-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-24-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-22-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-26-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-27-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-28-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-29-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-30-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2416-34-0x0000000000400000-0x000000000063F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 15:59
Reported
2024-06-12 16:01
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
98s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a13e41dad5d2bb181118b54cf966b505_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |