Analysis Overview
SHA256
d5ea117bf8c3f798f9d61f546af074e36f0162ce48af1c72210f76024fef82ce
Threat Level: Likely benign
The file a473b5198f8f8a862cefab74dadef499_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Checks computer location settings
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:35
Reported
2024-06-13 07:38
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\16386.bat" "C:\Users\Admin\AppData\Local\Temp\12D3F88BDE924735A055ED4CDFE3E938\""
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | t8u4n6u7.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\12D3F88BDE924735A055ED4CDFE3E938\12D3F88BDE924735A055ED4CDFE3E938_LogFile.txt
| MD5 | d1a28c1e4fb2ee1c91cc91a199318ae8 |
| SHA1 | 091dbc0005b0233626c01483d1ff50c528007318 |
| SHA256 | bad9c3c84c9e693c3aaef8e97ffe5585dc80870e181e0d1e6dd48662f365bf89 |
| SHA512 | e3024b6c85db41ada301fad763b68e655be905f84de9625ccfdf7411108148702712525b01b59a16facdf5b4e083d58d6d6b14fd959f2e5221802c8208ebc728 |
memory/2820-61-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/2820-186-0x00000000005F0000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16386.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\12D3F88BDE924735A055ED4CDFE3E938\12D3F8~1.TXT
| MD5 | 606aea6b53e36d7d1a719a89658f7468 |
| SHA1 | 60134ea5a8dda1538df371af8496cc1774b67260 |
| SHA256 | 71b5d331250ce7b63cb69af4b93d806aa0580bb35db0ac07dde136f6a41dafd7 |
| SHA512 | 054b4b890ea34873f7bcd0987c4ed8aeca8edf72bf7e9ab12a48f815cbba1590fd68e155355795f191dc7faef59048d9098f81e137a4ae681326de75fa50b0db |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:35
Reported
2024-06-13 07:38
Platform
win10v2004-20240508-en
Max time kernel
79s
Max time network
100s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4312 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4312 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4312 wrote to memory of 1860 | N/A | C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28525.bat" "C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
| US | 52.111.229.43:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\9225A02077C942F48C2C515CC687BE6E_LogFile.txt
| MD5 | 172e912f5ef6c048e50237180d129930 |
| SHA1 | 780cffdb7b36c1ab9bea5dee4b3f4e5453e0de44 |
| SHA256 | e44699bd9250c04303b28a9a4787b986a90d9dbaddb2b9578885350d679a399e |
| SHA512 | 02a87af57ee8b60d04c3461637fb371ddc9a64d1b605be7401541c190c5a807706d5b52a2ae2bb95cd9e76badcacceea854a82d96f1bbdd3c0fe2b95053eebcf |
C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\9225A02077C942F48C2C515CC687BE6E_LogFile.txt
| MD5 | 472db94d4d3a939955cfc964e0c4d4a5 |
| SHA1 | 1aaf64f4b98017edce4054ec0fb848f8200ca91a |
| SHA256 | 18440334d72d02943fac432b802a67a45d5b7539e0276dc5b4b5016341728106 |
| SHA512 | c0b17b2e702dafa588877cbe56a15b72cb80e61f626db1deb86707c952a3df67f674a191bff1e2862019f89b05dba6c95d3445e4e0baedc04d9e67ce32cc9a07 |
memory/4312-63-0x0000000003C90000-0x0000000003C91000-memory.dmp
memory/4312-156-0x0000000003C90000-0x0000000003C91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\28525.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\9225A02077C942F48C2C515CC687BE6E\9225A0~1.TXT
| MD5 | d8debfd93ac886bff230286917310807 |
| SHA1 | ecae62d2eeb608d091427a98865e1652b6bdd941 |
| SHA256 | 83ac957dc66c5cc93d261efd8bd21d8b55658ee11199094e24e9ed88d6ddce1b |
| SHA512 | dd5a746a62f16a5b2d39ad97b0bb3bf4bf215ca1c8166a2b21d43253828ac62ef3fa34bc6de5ff2b01eab195a9d6adf5f63ed374812002fc5fbe240cfb0a522e |