Analysis Overview
SHA256
05a09f5ab997e616890880a886e72ae30abf87abe12550383a15c57d8f2a7cff
Threat Level: Shows suspicious behavior
The file a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:35
Reported
2024-06-13 07:38
Platform
win7-20240220-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6BQR2.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp | N/A |
Loads dropped DLL
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-6BQR2.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6BQR2.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp" /SL5="$4010A,500774,146432,C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe"
Network
Files
memory/2552-0-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2552-1-0x0000000000401000-0x0000000000412000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-6BQR2.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp
| MD5 | 53d53cb910b764c67c7bc5f46bfe38a2 |
| SHA1 | acb9ae29d4ab5857fe3c837bc8c571f0aadb3351 |
| SHA256 | f1c6a977297caf94eb3b07259116aa9412f5b2f11a48833104c5582f32f2b499 |
| SHA512 | dba598908f5123d2f45ef40c1619b827055bf4a49904024957008daeccd561b02d70fe95d8a3531e5dfbb290e7a9454d858c297d09fcbd48c151b11456099da9 |
memory/2940-8-0x0000000000400000-0x0000000000531000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-9M64N.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-9M64N.tmp\isxdl.dll
| MD5 | 48ad1a1c893ce7bf456277a0a085ed01 |
| SHA1 | 803997ef17eedf50969115c529a2bf8de585dc91 |
| SHA256 | b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3 |
| SHA512 | 7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4 |
\Users\Admin\AppData\Local\Temp\is-9M64N.tmp\webbrowser.dll
| MD5 | b576c4fdd6d0d3db25e2917ff3cd95a4 |
| SHA1 | 3724f3708b4f8f76e9c8ff8c2f7bed70fc976d2d |
| SHA256 | 0ad1dc0094ad376eee23433b9416e8e1d7f6326a50c1f7bce5957f119ecc0e7e |
| SHA512 | 1a5e88a297b694dc7fe45756e5ef77abce5d1d45ef0a975f0278d8ce06cd32032ae34b62f436f83bc02463cab17802eca6bf1ab48930eceabdb3b72f45fbeefb |
memory/2940-21-0x0000000002030000-0x00000000020A0000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-9M64N.tmp\innocallback.dll
| MD5 | c161e8bee1e81d8d4f75ceb3a619f879 |
| SHA1 | 5c1319bfe5529c93e371faa616dcbf32fc7b0aaa |
| SHA256 | 1ce3e9e0bdca3aef9b68a7672696c11ac493bd2153d013c92aa078006c8184de |
| SHA512 | a6ac4418024b6e3bb2e490492ef9a2e0236a5a349cfcbb3256a646769dd9fdf144a2b1260cac42dda70c9cf98437dccb6ca0eb22548f2667ed6da906ecb861da |
memory/2940-25-0x00000000003C0000-0x00000000003D5000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-9M64N.tmp\InnoSetupHelper.dll
| MD5 | 20c2b3abe8c4b988a411b40089bf8970 |
| SHA1 | 047f22029167d3691d2b752fa3d2a2faf366b0f4 |
| SHA256 | 0eac2329590de783c5959d3a3a7dc303c2dacf67035fcd0570029eee690b1da7 |
| SHA512 | 91d8c46269fec6437fbd1d336f38b4b285f3c0332d621b49aebb9701f66d4a804a918b556dea9047312944266c9fb516a7ba80ffe59068a119a11f751cc22289 |
memory/2940-35-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2940-39-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2552-40-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2940-42-0x0000000002030000-0x00000000020A0000-memory.dmp
memory/2940-43-0x00000000003C0000-0x00000000003D5000-memory.dmp
memory/2940-84-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2552-85-0x0000000000400000-0x000000000042E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:35
Reported
2024-06-13 07:38
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
53s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp | N/A |
Loads dropped DLL
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp |
| PID 4812 wrote to memory of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp |
| PID 4812 wrote to memory of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp" /SL5="$501F2,500774,146432,C:\Users\Admin\AppData\Local\Temp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.simplyinstaller.com | udp |
| US | 8.8.8.8:53 | www.simplyinstaller.com | udp |
| US | 8.8.8.8:53 | cdn1.simplyinstaller.com | udp |
Files
memory/4812-0-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4812-2-0x0000000000401000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CDAL8.tmp\a473fafaced8d054cbd23ce9c5635f46_JaffaCakes118.tmp
| MD5 | 53d53cb910b764c67c7bc5f46bfe38a2 |
| SHA1 | acb9ae29d4ab5857fe3c837bc8c571f0aadb3351 |
| SHA256 | f1c6a977297caf94eb3b07259116aa9412f5b2f11a48833104c5582f32f2b499 |
| SHA512 | dba598908f5123d2f45ef40c1619b827055bf4a49904024957008daeccd561b02d70fe95d8a3531e5dfbb290e7a9454d858c297d09fcbd48c151b11456099da9 |
memory/3960-7-0x0000000000400000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PKKHK.tmp\isxdl.dll
| MD5 | 48ad1a1c893ce7bf456277a0a085ed01 |
| SHA1 | 803997ef17eedf50969115c529a2bf8de585dc91 |
| SHA256 | b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3 |
| SHA512 | 7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4 |
C:\Users\Admin\AppData\Local\Temp\is-PKKHK.tmp\webbrowser.dll
| MD5 | b576c4fdd6d0d3db25e2917ff3cd95a4 |
| SHA1 | 3724f3708b4f8f76e9c8ff8c2f7bed70fc976d2d |
| SHA256 | 0ad1dc0094ad376eee23433b9416e8e1d7f6326a50c1f7bce5957f119ecc0e7e |
| SHA512 | 1a5e88a297b694dc7fe45756e5ef77abce5d1d45ef0a975f0278d8ce06cd32032ae34b62f436f83bc02463cab17802eca6bf1ab48930eceabdb3b72f45fbeefb |
memory/3960-21-0x00000000031D0000-0x0000000003240000-memory.dmp
memory/3960-28-0x0000000003250000-0x0000000003265000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PKKHK.tmp\innocallback.dll
| MD5 | c161e8bee1e81d8d4f75ceb3a619f879 |
| SHA1 | 5c1319bfe5529c93e371faa616dcbf32fc7b0aaa |
| SHA256 | 1ce3e9e0bdca3aef9b68a7672696c11ac493bd2153d013c92aa078006c8184de |
| SHA512 | a6ac4418024b6e3bb2e490492ef9a2e0236a5a349cfcbb3256a646769dd9fdf144a2b1260cac42dda70c9cf98437dccb6ca0eb22548f2667ed6da906ecb861da |
C:\Users\Admin\AppData\Local\Temp\is-PKKHK.tmp\InnoSetupHelper.dll
| MD5 | 20c2b3abe8c4b988a411b40089bf8970 |
| SHA1 | 047f22029167d3691d2b752fa3d2a2faf366b0f4 |
| SHA256 | 0eac2329590de783c5959d3a3a7dc303c2dacf67035fcd0570029eee690b1da7 |
| SHA512 | 91d8c46269fec6437fbd1d336f38b4b285f3c0332d621b49aebb9701f66d4a804a918b556dea9047312944266c9fb516a7ba80ffe59068a119a11f751cc22289 |
memory/3960-39-0x0000000000400000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PKKHK.tmp\cinshlpr.dll
| MD5 | 4818c56b9a6bf004b594ab1dd041404a |
| SHA1 | 4cc884ff213452261a5e2d0d1601829a46f91bfb |
| SHA256 | 1211e889d76f4a3abfac9c5a5dd57b2847673d079a512b7c730151813e664f9b |
| SHA512 | 9312f951f7943c89f5cca75f8e0e71ef0d571360c651d958f54fccf2fbf87061ec5735e97f0256445096f6606327560f44ef505169764581c9a6db96b5ded7b2 |
memory/3960-48-0x0000000000400000-0x0000000000531000-memory.dmp
memory/4812-49-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3960-52-0x0000000003250000-0x0000000003265000-memory.dmp
memory/3960-51-0x00000000031D0000-0x0000000003240000-memory.dmp
memory/3960-58-0x0000000000400000-0x0000000000531000-memory.dmp
memory/3960-62-0x0000000003250000-0x0000000003265000-memory.dmp