Analysis Overview
SHA256
95961b8f5d59930b6e867f09c19e0b18a06445ce4d1bb8359d59ffbf0d01021c
Threat Level: Shows suspicious behavior
The file a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 06:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 06:30
Reported
2024-06-13 06:32
Platform
win7-20240611-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\updatede5a1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\updatede5a1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\updatede5a1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\updatede5a1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\54rk = "C:\\Windows\\SysWOW64\\updatede5a1.exe" | C:\Windows\SysWOW64\updatede5a1.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\cfghw.tmp | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\updatede5a1.exe | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cfghw.tmp | C:\Windows\SysWOW64\updatede5a1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe"
C:\Windows\SysWOW64\updatede5a1.exe
C:\Windows\system32\updatede5a1.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ok3.caonmb.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| GB | 163.171.146.42:80 | www.ip138.com | tcp |
| US | 8.8.8.8:53 | top.ip138.com | udp |
| GB | 138.113.149.152:80 | top.ip138.com | tcp |
| US | 8.8.8.8:53 | gege.zgpmsj.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| CN | 115.230.126.175:6623 | tcp | |
| US | 8.8.8.8:53 | www.ipshudi.com | udp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| CN | 115.230.126.175:6623 | tcp | |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| CN | 115.230.126.175:6623 | tcp | |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| CN | 115.230.126.175:6623 | tcp | |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| CN | 115.230.126.175:6623 | tcp | |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | www.ipshudi.com | tcp |
| GB | 174.35.118.62:443 | tcp |
Files
memory/2980-0-0x0000000000400000-0x0000000000411000-memory.dmp
\Windows\SysWOW64\updatede5a1.exe
| MD5 | cdc555406c7ceacc5782eec02d44bb5a |
| SHA1 | 297908f62efb34be6b24c3cb2982149d76e5ce69 |
| SHA256 | 293e7051a6160af58189b1128799edae1578ae9b9ae842e35b640179d9061a0e |
| SHA512 | 10617c7089301f9548880f7be0f47124457cf5c6ab0c647a812e9055b8469abb40c5b559e055fc5076ebe795f216a5f7879354954435f720a57d06b849d69b79 |
memory/2980-7-0x0000000000280000-0x0000000000290000-memory.dmp
memory/2908-11-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2908-16-0x0000000000020000-0x0000000000030000-memory.dmp
memory/2908-17-0x0000000000020000-0x0000000000030000-memory.dmp
memory/2908-18-0x000000000040E000-0x000000000040F000-memory.dmp
C:\Windows\SysWOW64\cfghw.tmp
| MD5 | fed513e713a3a892ff3daf9235fb67bd |
| SHA1 | e6a48e3a676cc24160e76c1292151ced7c545110 |
| SHA256 | 131d6c04a3295c49b694aace549c433dfe0610e376c54c1c43267e9ed47317b1 |
| SHA512 | c1dfae49d5a90a265f798345518704eeda7f7ecff6d11bdad5f3fcd96568ec9c7ab7ed15f282f6a5ad04b57022d489572bd0fa551517f8a5af9d0d658fedc6cd |
C:\Windows\SysWOW64\cfghw.tmp
| MD5 | d7f3754acb5258c754d6407d2924bde3 |
| SHA1 | b1c195764ba742688ac62bdc18168e7dc5f99deb |
| SHA256 | aba6b251b738d6b1f2f85917fa15808d0018ccb9e613da3d1f30965844e5777e |
| SHA512 | f8390eb5add5727f8cd683332284ba3040a387939ab75ccab472e07701b0117005825f352ee0f34b5aba33f1ce8ae2702db9c5946caf2faf826a399f0ef38a94 |
memory/2908-71-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2908-107-0x0000000000020000-0x0000000000030000-memory.dmp
memory/2908-108-0x0000000000020000-0x0000000000030000-memory.dmp
memory/2908-122-0x0000000000020000-0x0000000000030000-memory.dmp
memory/2908-134-0x000000000040E000-0x000000000040F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab68A4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar68E6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0818D6C839FFFA99AF7D6971537495F
| MD5 | 1a850f8a60f2acb4faa21bf963e4499c |
| SHA1 | dec298f4661edd18b8224abfcacade1eac603903 |
| SHA256 | 1ba28c875efe3ed49f908522ade611dcda180d0878c34d0d121c4b511bc1eeee |
| SHA512 | 193957bd18b5e21fbec737b64c1e80eb84b4c242ecaad4813e221895c9ef31b07246dbc3e75f68d4c538018f7598fa2cd31463c6207f792bb0671bc8d8e4159b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0818D6C839FFFA99AF7D6971537495F
| MD5 | 4fdd07e4d42264391e0c3742ead1c6ae |
| SHA1 | 8094640eb5a7a1ca119c1fddd59f810263a7fbd1 |
| SHA256 | 2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69 |
| SHA512 | 626261dcc0001d3bf73f9bd041067c78cbd19337c9dfcb2fb0854f24015efa662a7441dc5389de7c1ca4f464b44bf99b6df710661a9a8902ad907ee231dba74a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 06:30
Reported
2024-06-13 06:32
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\updatede303.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\54rk = "C:\\Windows\\SysWOW64\\updatede303.exe" | C:\Windows\SysWOW64\updatede303.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\cfghw.tmp | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\updatede303.exe | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cfghw.tmp | C:\Windows\SysWOW64\updatede303.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4676 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | C:\Windows\SysWOW64\updatede303.exe |
| PID 4676 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | C:\Windows\SysWOW64\updatede303.exe |
| PID 4676 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe | C:\Windows\SysWOW64\updatede303.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe"
C:\Windows\SysWOW64\updatede303.exe
C:\Windows\system32\updatede303.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ok3.caonmb.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gege.zgpmsj.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| US | 8.8.8.8:53 | gege.zgpmsj.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| CN | 115.230.126.175:6623 | tcp | |
| US | 8.8.8.8:53 | www.ip138.com | udp |
| US | 8.8.8.8:53 | www.ip138.com | udp |
Files
memory/4676-0-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\SysWOW64\updatede303.exe
| MD5 | cdc555406c7ceacc5782eec02d44bb5a |
| SHA1 | 297908f62efb34be6b24c3cb2982149d76e5ce69 |
| SHA256 | 293e7051a6160af58189b1128799edae1578ae9b9ae842e35b640179d9061a0e |
| SHA512 | 10617c7089301f9548880f7be0f47124457cf5c6ab0c647a812e9055b8469abb40c5b559e055fc5076ebe795f216a5f7879354954435f720a57d06b849d69b79 |
memory/4012-9-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\SysWOW64\cfghw.tmp
| MD5 | fed513e713a3a892ff3daf9235fb67bd |
| SHA1 | e6a48e3a676cc24160e76c1292151ced7c545110 |
| SHA256 | 131d6c04a3295c49b694aace549c433dfe0610e376c54c1c43267e9ed47317b1 |
| SHA512 | c1dfae49d5a90a265f798345518704eeda7f7ecff6d11bdad5f3fcd96568ec9c7ab7ed15f282f6a5ad04b57022d489572bd0fa551517f8a5af9d0d658fedc6cd |
memory/4012-11-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\SysWOW64\cfghw.tmp
| MD5 | d7f3754acb5258c754d6407d2924bde3 |
| SHA1 | b1c195764ba742688ac62bdc18168e7dc5f99deb |
| SHA256 | aba6b251b738d6b1f2f85917fa15808d0018ccb9e613da3d1f30965844e5777e |
| SHA512 | f8390eb5add5727f8cd683332284ba3040a387939ab75ccab472e07701b0117005825f352ee0f34b5aba33f1ce8ae2702db9c5946caf2faf826a399f0ef38a94 |
memory/4012-62-0x0000000000400000-0x0000000000410000-memory.dmp