Analysis Overview
SHA256
e306027e9e77479e4ba3a36ff05ea3c243e0e7dff514c57064fb77ec846f2b87
Threat Level: Shows suspicious behavior
The file a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:50
Reported
2024-06-13 04:52
Platform
win7-20240611-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2932 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 69.204.153.221:80 | tcp | |
| UA | 77.121.186.224:80 | tcp | |
| UA | 93.77.224.224:80 | tcp | |
| RO | 89.136.111.229:80 | tcp | |
| US | 73.183.11.231:80 | tcp | |
| PL | 78.88.59.196:80 | tcp | |
| TN | 197.7.137.197:80 | tcp | |
| DE | 194.146.199.200:80 | tcp | |
| AU | 101.160.201.200:80 | tcp | |
| BE | 62.72.177.203:80 | tcp | |
| KG | 95.87.65.63:80 | tcp | |
| FR | 37.19.142.66:80 | tcp | |
| PL | 89.231.80.67:80 | tcp | |
| UA | 188.230.23.68:80 | tcp | |
| MK | 89.205.85.68:80 | tcp | |
| MD | 178.168.73.145:80 | tcp | |
| GE | 5.178.212.152:80 | tcp | |
| IN | 86.107.51.153:80 | tcp | |
| UA | 178.158.142.159:80 | tcp | |
| UA | 5.248.89.163:80 | tcp | |
| UA | 176.101.203.246:80 | tcp | |
| LV | 91.105.91.247:80 | tcp | |
| UA | 176.8.25.249:80 | tcp | |
| US | 76.119.213.253:80 | tcp | |
| RU | 178.158.179.254:80 | tcp | |
| RU | 46.231.170.212:80 | tcp | |
| LV | 81.198.19.213:80 | tcp | |
| UA | 159.224.66.216:80 | tcp | |
| LV | 193.106.81.217:80 | tcp | |
| SE | 88.129.223.220:80 | tcp | |
| PL | 91.203.158.237:80 | tcp | |
| UA | 62.182.84.239:80 | tcp | |
| UA | 37.53.92.242:80 | tcp | |
| GE | 188.129.246.244:80 | tcp | |
| UA | 77.122.124.246:80 | tcp |
Files
memory/2932-0-0x0000000000250000-0x0000000000254000-memory.dmp
memory/1632-1-0x00000000001B0000-0x00000000002AA000-memory.dmp
memory/1632-12-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-15-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-16-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2932-13-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1632-9-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1632-7-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-5-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-3-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-17-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-18-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-19-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-21-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-22-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-23-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-24-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-25-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-26-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1632-31-0x0000000000400000-0x0000000000645000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:50
Reported
2024-06-13 04:52
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4768 set thread context of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3df6c39dcb214d9c5b1854c55466d35_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 69.204.153.221:80 | tcp | |
| UA | 77.121.186.224:80 | tcp | |
| UA | 93.77.224.224:80 | tcp | |
| RO | 89.136.111.229:80 | tcp | |
| US | 73.183.11.231:80 | tcp | |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| PL | 78.88.59.196:80 | tcp | |
| TN | 197.7.137.197:80 | tcp | |
| DE | 194.146.199.200:80 | tcp | |
| AU | 101.160.201.200:80 | tcp | |
| BE | 62.72.177.203:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| KG | 95.87.65.63:80 | tcp | |
| FR | 37.19.142.66:80 | tcp | |
| PL | 89.231.80.67:80 | tcp | |
| UA | 188.230.23.68:80 | tcp | |
| MK | 89.205.85.68:80 | tcp | |
| MD | 178.168.73.145:80 | tcp | |
| GE | 5.178.212.152:80 | tcp | |
| IN | 86.107.51.153:80 | tcp | |
| UA | 178.158.142.159:80 | tcp | |
| UA | 5.248.89.163:80 | tcp | |
| UA | 176.101.203.246:80 | tcp | |
| LV | 91.105.91.247:80 | tcp | |
| UA | 176.8.25.249:80 | tcp | |
| US | 76.119.213.253:80 | tcp | |
| RU | 178.158.179.254:80 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 46.231.170.212:80 | tcp | |
| LV | 81.198.19.213:80 | tcp | |
| UA | 159.224.66.216:80 | tcp | |
| LV | 193.106.81.217:80 | tcp | |
| SE | 88.129.223.220:80 | tcp | |
| PL | 91.203.158.237:80 | tcp | |
| UA | 62.182.84.239:80 | tcp | |
| UA | 37.53.92.242:80 | tcp | |
| GE | 188.129.246.244:80 | tcp | |
| UA | 77.122.124.246:80 | tcp | |
| RU | 212.66.58.168:80 | tcp | |
| RO | 86.121.145.172:80 | tcp | |
| UA | 46.250.113.184:80 | tcp | |
| US | 50.169.215.184:80 | tcp | |
| RO | 188.26.189.188:80 | tcp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/4768-0-0x0000000000620000-0x0000000000624000-memory.dmp
memory/4492-1-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-3-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-4-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4768-5-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4492-6-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-7-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-10-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-12-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-11-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-9-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-13-0x0000000000400000-0x0000000000645000-memory.dmp
memory/4492-15-0x0000000000400000-0x0000000000645000-memory.dmp