Analysis Overview
SHA256
56ca1324e98cd2fabfebf369ea7d350f175a8d03279b8d480f3ed579d4fec8ab
Threat Level: Shows suspicious behavior
The file a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks BIOS information in registry
Maps connected drives based on registry
Suspicious use of SetThreadContext
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:50
Reported
2024-06-12 18:52
Platform
win7-20240508-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1680 set thread context of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe" Track="0001000000"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jsb2bjfdw8mos2.fx83itz8.com | udp |
| US | 8.8.8.8:53 | jsb2bjfdw8mos2.fx83itz8.com | udp |
| US | 8.8.8.8:53 | jsb2bjfdw8mos2.fx83itz8.com | udp |
| US | 8.8.8.8:53 | jsb2bjfdw8mos2.fx83itz8.com | udp |
| US | 8.8.8.8:53 | jsb2bjfdw8mos2.fx83itz8.com | udp |
| US | 8.8.8.8:53 | jsb2bjfdw8mos2.fx83itz8.com | udp |
Files
memory/1680-0-0x0000000000400000-0x0000000000586000-memory.dmp
memory/1680-1-0x0000000000230000-0x0000000000233000-memory.dmp
memory/3008-2-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-11-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-4-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-22-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-23-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/1680-21-0x0000000000400000-0x0000000000586000-memory.dmp
memory/1680-20-0x0000000000230000-0x0000000000233000-memory.dmp
memory/1680-19-0x00000000027C0000-0x0000000002946000-memory.dmp
memory/3008-16-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3008-12-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-8-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-7-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-24-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-25-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-27-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-26-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-28-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-29-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-33-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-35-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3008-37-0x0000000000400000-0x00000000004F6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 18:50
Reported
2024-06-12 18:52
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3164 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe |
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1d4768e752a19122ec749c5024f0ab3_JaffaCakes118.exe" Track="0001000000"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 2040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 2084
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6qi1igpetfqhrxbpd1.fx83itz8.com | udp |
Files
memory/3164-0-0x0000000000400000-0x0000000000586000-memory.dmp
memory/3164-1-0x00000000006F0000-0x00000000006F3000-memory.dmp
memory/2816-2-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/2816-3-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/2816-5-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/3164-4-0x0000000000400000-0x0000000000586000-memory.dmp
memory/3164-7-0x00000000006F0000-0x00000000006F3000-memory.dmp
memory/2816-6-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/2816-8-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/2816-9-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/2816-10-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/2816-11-0x0000000000400000-0x00000000004F6000-memory.dmp
memory/2816-15-0x0000000000400000-0x00000000004F6000-memory.dmp