Analysis Overview
SHA256
9f67cea814388754884dfa2778d0169136da473091ab3285b9f9ca444d5cc59e
Threat Level: Shows suspicious behavior
The file a473acd514a850165712078ec49ba3b4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:35
Reported
2024-06-13 07:38
Platform
win7-20240221-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.v2.secdls.com | udp |
| US | 8.8.8.8:53 | staticrr.paleokits.net | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure1.com | udp |
| FI | 193.166.255.171:80 | staticrr.sslsecure1.com | tcp |
| US | 8.8.8.8:53 | staticrr.sslsecure2.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure3.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure4.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure5.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure6.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure7.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure8.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure9.com | udp |
| US | 8.8.8.8:53 | staticrr.sslsecure10.com | udp |
| US | 8.8.8.8:53 | track.v2.secdls.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure1.com | udp |
| FI | 193.166.255.171:80 | track.v2.sslsecure1.com | tcp |
| US | 8.8.8.8:53 | track.v2.sslsecure2.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure3.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure4.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure5.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure6.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure7.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure8.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure9.com | udp |
| US | 8.8.8.8:53 | track.v2.sslsecure10.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure1.com | udp |
| FI | 193.166.255.171:80 | api.v2.sslsecure1.com | tcp |
| US | 8.8.8.8:53 | api.v2.sslsecure2.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure3.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure4.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure5.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure6.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure7.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure8.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure9.com | udp |
| US | 8.8.8.8:53 | api.v2.sslsecure10.com | udp |
| FI | 193.166.255.171:80 | api.v2.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | api.v2.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | api.v2.sslsecure1.com | tcp |
| FI | 193.166.255.171:80 | api.v2.sslsecure1.com | tcp |
Files
memory/1728-0-0x00000000748DE000-0x00000000748DF000-memory.dmp
\Users\Admin\AppData\Local\Temp\sad1EB7.tmp
| MD5 | 50d7a4da5f1a4f2999b0178ccec1320d |
| SHA1 | 443d543e7b8ffec0b84768728d38d8c285ec615f |
| SHA256 | 28e40d56758faad7a04678a6a2628a10eaa8df9f63f49460a65d539262453245 |
| SHA512 | 0cdcb9e47db9e7c073381161386e9fddb19ab7848d456cbe26ab5ede44fd6ae04aab25c6dc438c458861651f1238e8ccb9976484c4d5e919cb25a5d52c165d7d |
memory/1728-3-0x00000000004B0000-0x00000000004F8000-memory.dmp
memory/1728-4-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1728-5-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1728-6-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1728-7-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1728-10-0x000000000C8B0000-0x000000000D056000-memory.dmp
memory/1728-18-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/1728-19-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1728-20-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1728-21-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1728-22-0x00000000748D0000-0x0000000074FBE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:35
Reported
2024-06-13 07:38
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a473acd514a850165712078ec49ba3b4_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | api.v2.secdls.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/3312-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sad6BE9.tmp
| MD5 | 50d7a4da5f1a4f2999b0178ccec1320d |
| SHA1 | 443d543e7b8ffec0b84768728d38d8c285ec615f |
| SHA256 | 28e40d56758faad7a04678a6a2628a10eaa8df9f63f49460a65d539262453245 |
| SHA512 | 0cdcb9e47db9e7c073381161386e9fddb19ab7848d456cbe26ab5ede44fd6ae04aab25c6dc438c458861651f1238e8ccb9976484c4d5e919cb25a5d52c165d7d |
memory/3312-3-0x0000000000DC0000-0x0000000000E08000-memory.dmp
memory/3312-4-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/3312-5-0x0000000007420000-0x00000000079C4000-memory.dmp
memory/3312-6-0x0000000006E70000-0x0000000006F02000-memory.dmp
memory/3312-7-0x0000000006E50000-0x0000000006E5A000-memory.dmp
memory/3312-8-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/3312-9-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/3312-10-0x000000000A140000-0x000000000A1A6000-memory.dmp
memory/3312-11-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/3312-20-0x000000000C560000-0x000000000CD06000-memory.dmp
memory/3312-21-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/3312-22-0x0000000074EA0000-0x0000000075650000-memory.dmp