Analysis Overview
SHA256
358acee4a278999b4e567c8af901b26c72103e3c52ccf3f768f08a9131125dc8
Threat Level: Shows suspicious behavior
The file a40718049568062a27a4b65fafc47f56_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks installed software on the system
Maps connected drives based on registry
Drops file in Windows directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:39
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:39
Reported
2024-06-13 05:41
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\WorkThatBody.job | C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | allmodel-pro.com | udp |
| US | 8.8.8.8:53 | fullset.link | udp |
| US | 8.8.8.8:53 | parentmodel.biz | udp |
| US | 8.8.8.8:53 | groupmodel.biz | udp |
Files
memory/1044-2-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/1044-1-0x00000000009D0000-0x00000000009D1000-memory.dmp
memory/1044-0-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/1044-3-0x0000000001940000-0x0000000001969000-memory.dmp
memory/1044-4-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/1044-9-0x0000000001940000-0x0000000001969000-memory.dmp
memory/1044-5-0x0000000004590000-0x00000000045BF000-memory.dmp
memory/1044-18-0x0000000001940000-0x0000000001969000-memory.dmp
memory/1044-14-0x0000000004D30000-0x0000000004D57000-memory.dmp
memory/1044-22-0x0000000001940000-0x0000000001969000-memory.dmp
memory/1044-25-0x0000000001940000-0x0000000001969000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:39
Reported
2024-06-13 05:41
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe | N/A |
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\WorkThatBody.job | C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a40718049568062a27a4b65fafc47f56_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe
"C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fullset.link | udp |
| US | 8.8.8.8:53 | allmodel-pro.com | udp |
| US | 204.11.56.48:80 | allmodel-pro.com | tcp |
| US | 8.8.8.8:53 | parentmodel.biz | udp |
| US | 8.8.8.8:53 | groupmodel.biz | udp |
Files
memory/3044-1-0x0000000000030000-0x0000000000031000-memory.dmp
memory/3044-0-0x0000000000020000-0x0000000000021000-memory.dmp
memory/3044-2-0x0000000000080000-0x0000000000081000-memory.dmp
memory/3044-3-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/3044-4-0x00000000001F0000-0x0000000000219000-memory.dmp
memory/3044-5-0x0000000000220000-0x000000000024F000-memory.dmp
memory/3044-9-0x00000000001F0000-0x0000000000219000-memory.dmp
memory/3044-16-0x00000000001F0000-0x0000000000219000-memory.dmp
memory/3044-12-0x0000000000650000-0x0000000000677000-memory.dmp
C:\Users\Admin\AppData\Roaming\Believing Bevy\Believing Bevy.exe
| MD5 | 988c01d600dc52a6cce0bcc83a0d65da |
| SHA1 | dde9bd780f93c69b8127227358b5ccb512b7f302 |
| SHA256 | 04bf95d11f5af19c67eb15a46e16a2fb46c418e9d2da670a9854dac5e212ad10 |
| SHA512 | 1a2acb5542d9ceb6eef30b43912aa219da8fd06e654c43a1dd9e5bf898abcc2c27ce3d59681b47ad5f683f21c4cf096b3794e8b6575dbb78a49aaf05eb9e11c1 |
memory/3044-25-0x00000000001F0000-0x0000000000219000-memory.dmp