Analysis Overview
SHA256
7c267f393664ccc38c7a4fb521587e77db7fc7e3a157a9ef5c19783f03a67c76
Threat Level: Shows suspicious behavior
The file a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Identifies Wine through registry keys
Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:18
Reported
2024-06-13 05:20
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\WINE | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\WINE | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2B70E722-2822-6411-6EE8-CE486FCBB77F} = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\MozillaCtrl.exe" | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 760 set thread context of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe |
| PID 3844 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe"
C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp145175b8.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nlo2014.in | udp |
| US | 8.8.8.8:53 | nlo2014.in | udp |
| US | 8.8.8.8:53 | nlo2014.in | udp |
| US | 8.8.8.8:53 | nlo2014.in | udp |
| US | 8.8.8.8:53 | nlo2014.in | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/4432-3-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4432-6-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4432-7-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4432-9-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4432-8-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4432-10-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\MozillaCtrl.exe
| MD5 | a5c87a512015b79ada094713c9b57d08 |
| SHA1 | 4420f3affd65187020cd8169fac388a9c8682a4c |
| SHA256 | ec2743acc3963fda6e7066d04bba066a6aba53add5966660452677e9365d6b06 |
| SHA512 | de991d85d1b8ed26e1f6edd7081d850157031a41064bc23a0d81d01c732a2e7079fa279a0f13c5bb6ddfb0447aaf0c08e53598ea5484273622296aadcf098d18 |
memory/1988-24-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4432-28-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp145175b8.bat
| MD5 | 5e80abb0a4cafae332d236b408c28e6c |
| SHA1 | 962ce6ee8e730754e35f40c91cdab8eadee559eb |
| SHA256 | f2f61b66672e11cde650368b83f442b3464acb2b1e07fe776f788e09f6f4f33c |
| SHA512 | c38b4af1043382e91903c9d35bd5bde46c68ce3da661507afa65497d691b2c55397644e9f6e04a5db9fdca99f68d81b8c74af9375ca64aeea6904ca09de77b19 |
memory/1988-30-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-37-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-36-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-35-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-34-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-33-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-32-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-31-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-38-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-39-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1988-40-0x0000000000400000-0x0000000000441000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:18
Reported
2024-06-13 05:20
Platform
win7-20231129-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\WINE | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\WINE | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B3708393-D6A3-F2AF-9614-938E0BD1CD2F} | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2232 set thread context of 2248 | N/A | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe |
| PID 2380 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3f3a635f17c595b5c8e5458ad502c0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
"C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe"
C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
"C:\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf3479a3e.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nlo2014.in | udp |
Files
memory/2248-3-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2248-6-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2248-8-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2248-7-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2248-9-0x0000000000400000-0x0000000000441000-memory.dmp
\Users\Admin\AppData\Roaming\Media Center Programs\SyncMediaCenterPrograms.exe
| MD5 | 88c0b2df4d12618f413a3aaa7f698faf |
| SHA1 | b23b06536b4eb53262a8528377614b11bcc6192e |
| SHA256 | 9a72c071710582bb614df1ecaabf4b5e192c8f1fef9f2bc9d5c23efd6c6165a1 |
| SHA512 | 3db1f4e54ddc0e2931b3b09ecbd87e1ff26e6c3115730ab3cb69df954cfa7ae7c5fcc304909870aa03cce7369c0fda82787307ba321f9e3a79abc04d13671b1b |
memory/2732-29-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2248-32-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpf3479a3e.bat
| MD5 | dca2cd508f1237e56ead31d3fbd29ee2 |
| SHA1 | 405c178a54c30c8642697a07b1464bb89e4b7bb3 |
| SHA256 | 7e6b031cabeee885699195beeb427964faf9abe50a3ec5248cb9794d09e6b368 |
| SHA512 | acd96e31701db3a5a4e201e8cad2551465879da5a0a97605647b44727462aff5ea63390c6ed66ebc95a1e9ec7ac6edc3ce6a060a1f0296f0f5d4e65bbbd2908c |
memory/2732-39-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-41-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-40-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-38-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-37-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-36-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-35-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-34-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-42-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-43-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-44-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2732-45-0x0000000000400000-0x0000000000441000-memory.dmp