Analysis Overview
SHA256
8f75100bdd9049c1438239b5c4157db194a5757dce49f0a3395414fcf991d5ca
Threat Level: Shows suspicious behavior
The file a4711b4cb8086b31413fa065c79a424d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Program crash
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 07:32
Reported
2024-06-13 07:35
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 07:32
Reported
2024-06-13 07:35
Platform
win10v2004-20240508-en
Max time kernel
52s
Max time network
51s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4476 wrote to memory of 3660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4476 wrote to memory of 3660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4476 wrote to memory of 3660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3660 -ip 3660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 612
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 07:32
Reported
2024-06-13 07:35
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 236
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 07:32
Reported
2024-06-13 07:35
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1376 wrote to memory of 1120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1376 wrote to memory of 1120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1376 wrote to memory of 1120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsWeb.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1120 -ip 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 664
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:32
Reported
2024-06-13 07:35
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.trackpixl.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsoDE8.tmp\nsWeb.dll
| MD5 | 84bcf3c71e70d5a6e9dc07d70466bdc3 |
| SHA1 | 31603a1afc2d767a3392d363ff61533beaa25359 |
| SHA256 | 7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf |
| SHA512 | 61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:32
Reported
2024-06-13 07:35
Platform
win10v2004-20240611-en
Max time kernel
91s
Max time network
93s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4711b4cb8086b31413fa065c79a424d_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.trackpixl.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsg88BA.tmp\nsWeb.dll
| MD5 | 84bcf3c71e70d5a6e9dc07d70466bdc3 |
| SHA1 | 31603a1afc2d767a3392d363ff61533beaa25359 |
| SHA256 | 7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf |
| SHA512 | 61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e |