Analysis Overview
SHA256
1ba533d70a278927e49d638c2c5249cd7a280e3d730920c23e21a843359840fa
Threat Level: Shows suspicious behavior
The file a4b31430be906470eafa8846db67543d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:48
Reported
2024-06-13 08:51
Platform
win7-20240611-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2224 set thread context of 1776 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| PL | 83.16.95.2:80 | tcp | |
| RS | 95.180.67.140:80 | tcp | |
| US | 93.79.248.25:80 | tcp | |
| UA | 77.122.94.210:80 | tcp | |
| UA | 109.87.233.72:80 | tcp | |
| UA | 46.185.71.249:80 | tcp | |
| UA | 5.1.29.8:80 | tcp | |
| DE | 188.192.192.8:80 | tcp | |
| UA | 77.123.9.65:80 | tcp | |
| UA | 46.119.253.225:80 | tcp | |
| UA | 94.153.12.248:80 | tcp | |
| LV | 212.142.115.80:80 | tcp | |
| MD | 89.28.88.197:80 | tcp | |
| RU | 212.193.48.220:80 | 212.193.48.220 | tcp |
| RU | 79.165.27.197:80 | tcp |
Files
memory/2224-0-0x0000000000250000-0x0000000000254000-memory.dmp
memory/1776-1-0x00000000001B0000-0x00000000002AA000-memory.dmp
memory/1776-5-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1776-16-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-12-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-15-0x0000000000406000-0x0000000000408000-memory.dmp
memory/1776-7-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-11-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-4-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-13-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-14-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-17-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1776-18-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-19-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-20-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-21-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-22-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-23-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-24-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-25-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-26-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-28-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-29-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-30-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-31-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:48
Reported
2024-06-13 08:50
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1264 set thread context of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4b31430be906470eafa8846db67543d_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3888,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| JP | 118.9.74.117:80 | tcp | |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| GB | 5.105.39.19:80 | tcp | |
| UA | 77.123.9.65:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| UA | 188.231.243.64:80 | tcp | |
| US | 5.105.69.96:80 | tcp | |
| JP | 122.196.86.35:80 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| UA | 77.122.94.210:80 | tcp | |
| KZ | 37.151.90.200:80 | tcp | |
| UA | 89.252.41.203:80 | tcp | |
| US | 66.168.148.194:80 | tcp | |
| UA | 176.8.210.196:80 | tcp | |
| RO | 83.166.221.233:80 | tcp | |
| UA | 176.37.114.174:80 | tcp | |
| PL | 78.88.59.196:80 | tcp |
Files
memory/1264-1-0x0000000002690000-0x0000000002694000-memory.dmp
memory/1896-2-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1896-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-3-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1896-7-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1896-6-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1896-8-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-10-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-11-0x0000000000400000-0x0000000002728000-memory.dmp
memory/1896-13-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-14-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-15-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-16-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-17-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-18-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-19-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-20-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-22-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1896-23-0x0000000000400000-0x0000000000409000-memory.dmp