Analysis Overview
SHA256
8e2aa6984e3a2000d4bbb71717233a8160f526b22eff47c950e148e567f360ed
Threat Level: Shows suspicious behavior
The file a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:30
Reported
2024-06-13 04:32
Platform
win7-20240419-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zyov = "C:\\Users\\Admin\\AppData\\Roaming\\Ipbahy\\zyov.exe" | C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1008 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe
"C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\VUP2799.bat"
Network
| Country | Destination | Domain | Proto |
| AR | 190.179.253.53:18051 | udp | |
| TR | 78.165.211.41:29549 | udp | |
| US | 99.97.73.189:29677 | udp | |
| BA | 77.78.226.228:22815 | udp | |
| KR | 211.209.241.213:16882 | udp | |
| PE | 181.67.50.91:27916 | udp | |
| GE | 94.137.183.172:25507 | udp | |
| IT | 82.50.43.212:22899 | udp | |
| KZ | 176.222.162.187:28019 | udp | |
| US | 76.226.112.216:24591 | udp | |
| IT | 79.26.33.220:13139 | udp | |
| DE | 178.203.226.84:19014 | udp | |
| RO | 89.122.155.200:16926 | udp | |
| US | 99.159.193.22:14891 | udp | |
| BE | 87.66.14.62:21608 | udp | |
| US | 108.215.44.142:20626 | udp | |
| PL | 83.31.155.124:22916 | udp | |
| US | 8.8.8.8:53 | www.google.com | udp |
Files
memory/1008-0-0x0000000000405000-0x0000000000406000-memory.dmp
memory/1008-1-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1008-2-0x0000000000400000-0x0000000000451000-memory.dmp
\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe
| MD5 | 0cad14653c713f1aa305a48097a146d9 |
| SHA1 | 9c75d1675fd6beacf1c449b909680d5278b94191 |
| SHA256 | a0ee91feaaccfe8f6695b7212072b4c2f6b3737d73c04c783479618bb87a0d35 |
| SHA512 | b1ec36fd1749bf53210addbc7f44a8c8706412f00d781d14109f73dea55cbe4d925295048127fd9e6c4069aed3bc2c1e4a3e692a53b83b4debb895eca868ef6a |
memory/1444-12-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-16-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1008-14-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-15-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1036-23-0x00000000022B0000-0x00000000022F8000-memory.dmp
memory/1036-21-0x00000000022B0000-0x00000000022F8000-memory.dmp
memory/1008-53-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/1008-52-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/1008-51-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/1008-50-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/1008-49-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/1008-48-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/1008-47-0x0000000000550000-0x0000000000598000-memory.dmp
memory/1008-46-0x0000000000550000-0x0000000000598000-memory.dmp
memory/1008-55-0x0000000000550000-0x0000000000598000-memory.dmp
memory/2484-63-0x0000000000050000-0x0000000000098000-memory.dmp
memory/2484-62-0x0000000000050000-0x0000000000098000-memory.dmp
memory/2484-61-0x0000000000050000-0x0000000000098000-memory.dmp
memory/2484-59-0x0000000000050000-0x0000000000098000-memory.dmp
memory/1008-54-0x0000000000550000-0x0000000000598000-memory.dmp
memory/1008-65-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1008-45-0x0000000000550000-0x0000000000598000-memory.dmp
memory/1008-44-0x0000000000550000-0x0000000000598000-memory.dmp
memory/1008-43-0x0000000000550000-0x0000000000598000-memory.dmp
memory/1116-41-0x0000000002ED0000-0x0000000002F18000-memory.dmp
memory/1116-40-0x0000000002ED0000-0x0000000002F18000-memory.dmp
memory/1116-39-0x0000000002ED0000-0x0000000002F18000-memory.dmp
memory/1064-35-0x00000000020E0000-0x0000000002128000-memory.dmp
memory/2484-69-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2484-75-0x0000000077140000-0x0000000077141000-memory.dmp
memory/2484-73-0x0000000000050000-0x0000000000098000-memory.dmp
memory/2484-72-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2484-71-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2484-70-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2484-68-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2484-67-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2484-77-0x0000000000050000-0x0000000000098000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VUP2799.bat
| MD5 | ea03e3af3cd85e601242c1fa7a57eb17 |
| SHA1 | 973c77f82b44116de152e4134dbe8e1f3ac3706c |
| SHA256 | ff6ad21b96d4f38fe09ff0c23ac54590d956e5be9db2df88cd40767b66d957f8 |
| SHA512 | 121bf2fb7e6b56864c29ff149f8cc12440e3899b6abd596ea6ee98b2f6679ec38fd4c2ee6594c38ca76421d0cdf69257091d3509f93184fe4b75eac338ab6b5d |
memory/2484-66-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/1064-33-0x00000000020E0000-0x0000000002128000-memory.dmp
memory/1064-31-0x00000000020E0000-0x0000000002128000-memory.dmp
memory/1064-29-0x00000000020E0000-0x0000000002128000-memory.dmp
memory/1036-25-0x00000000022B0000-0x00000000022F8000-memory.dmp
memory/1036-19-0x00000000022B0000-0x00000000022F8000-memory.dmp
memory/1116-38-0x0000000002ED0000-0x0000000002F18000-memory.dmp
memory/1036-17-0x00000000022B0000-0x00000000022F8000-memory.dmp
memory/1444-79-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-80-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-81-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-82-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-83-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-84-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1444-85-0x0000000000400000-0x0000000000451000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:30
Reported
2024-06-13 04:32
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Program crash
Processes
C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 760 -ip 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 760 -ip 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |