Analysis Overview
SHA256
34b6799f07c656918d96639d13b299b26ee7b592629d217438eff8b4b277d1fb
Threat Level: Likely malicious
The file a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Unexpected DNS network traffic destination
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:14
Reported
2024-06-13 10:17
Platform
win7-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 109.69.8.34 | N/A | N/A |
| Destination IP | 5.135.183.146 | N/A | N/A |
| Destination IP | 151.80.147.153 | N/A | N/A |
| Destination IP | 212.73.150.183 | N/A | N/A |
| Destination IP | 185.190.82.182 | N/A | N/A |
| Destination IP | 188.165.200.156 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FB3610A5-217B-46D0-BEEE-057FF1FC40AD} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\ProgramData\ghbamjdm\bfjnednc.dhf",DllGetClassObject host
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\ProgramData\ghbamjdm\bfjnednc.dhf",DllGetClassObject host
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | namecha.in | udp |
| BG | 212.73.150.183:53 | tcp | |
| ES | 109.69.8.34:53 | tcp | |
| FR | 5.135.183.146:53 | tcp | |
| US | 185.190.82.182:53 | tcp | |
| FR | 151.80.147.153:53 | tcp | |
| FR | 188.165.200.156:53 | tcp | |
| US | 8.8.8.8:53 | stat-counter-3-1.bit | udp |
Files
memory/376-0-0x0000000000400000-0x0000000000458000-memory.dmp
memory/376-1-0x0000000000400000-0x0000000000458000-memory.dmp
\Users\Admin\AppData\Local\Temp\27DB.tmp
| MD5 | 0f09bcd355ac453606e8a2e953cd7c1e |
| SHA1 | 942cf739cca27ed8fd28d4b2c153033ffaa48e77 |
| SHA256 | 8843a2a66395fa409c66beacc3d2b928e2195a12827450f2d6381bfdf51595d0 |
| SHA512 | e187f068f8beb7b2d1a53222a290a02033a0806ae48479f8fc666e7578c6fd3e7e61cd3fb1748c61c42a2750e964731c4dc84e679da599122c63e8c7e9c550fc |
memory/376-6-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/376-5-0x0000000002160000-0x0000000002161000-memory.dmp
memory/376-7-0x0000000000560000-0x00000000005C9000-memory.dmp
memory/376-8-0x0000000000560000-0x00000000005C9000-memory.dmp
memory/376-10-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/376-9-0x0000000001E90000-0x0000000001E91000-memory.dmp
memory/376-16-0x0000000000560000-0x00000000005C9000-memory.dmp
memory/376-17-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2768-20-0x0000000000740000-0x00000000007A9000-memory.dmp
memory/2768-21-0x0000000000740000-0x00000000007A9000-memory.dmp
memory/2768-22-0x00000000026A0000-0x00000000026A1000-memory.dmp
C:\ProgramData\ghbamjdm\0d0240c254ca
| MD5 | 5b76b3f86d0e1f3f397c9f5cf4e2ae3c |
| SHA1 | 8acac8e96af0c85efa46a117efa028002dc53403 |
| SHA256 | 84af7190bb4943e9acf8cc7acd64c54091c13195de7995f3ca1445054d4dbdec |
| SHA512 | 344e4a8da4e222cb78e1d3dd67835c3d5473a2d93b3cfec32ee1304ffa47ba17eeb5939bc8fe36e9da9d5034daa8d7a167442759340c0a61bc9e5978533d9900 |
C:\Users\Admin\AppData\Local\Temp\27DB.tmp
| MD5 | 9a359c7a57a9af742c9e0aa59c047cfb |
| SHA1 | 017d90de87eab0b0c5b73e6eacbb5b637440d7f1 |
| SHA256 | 309a1ec1fa3fbd4ecdfb2301df0991e43137f4bb8a57fd4831ac343d7f780bd5 |
| SHA512 | 79b589508baa24b0078ef9ada55c887b97d02430d4c14533193150ba5e1335527c3b898063848d65c6038cb63e87ee2bd7d9678d75a35a5b3e79af78a7429acb |
memory/2768-34-0x0000000000740000-0x00000000007A9000-memory.dmp
memory/2768-35-0x0000000000740000-0x00000000007A9000-memory.dmp
memory/2768-37-0x0000000000740000-0x00000000007A9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 10:14
Reported
2024-06-13 10:17
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 188.165.200.156 | N/A | N/A |
| Destination IP | 109.69.8.34 | N/A | N/A |
| Destination IP | 151.80.147.153 | N/A | N/A |
| Destination IP | 5.135.183.146 | N/A | N/A |
| Destination IP | 185.190.82.182 | N/A | N/A |
| Destination IP | 212.73.150.183 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4192 wrote to memory of 456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4192 wrote to memory of 456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5079d2183bdf000710a2f4edcfdf3f8_JaffaCakes118.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\ProgramData\bnbcifpe\gjglalel.kfj",DllGetClassObject host
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\ProgramData\bnbcifpe\gjglalel.kfj",DllGetClassObject host
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | namecha.in | udp |
| BG | 212.73.150.183:53 | tcp | |
| FR | 5.135.183.146:53 | tcp | |
| US | 185.190.82.182:53 | tcp | |
| FR | 188.165.200.156:53 | tcp | |
| ES | 109.69.8.34:53 | tcp | |
| FR | 151.80.147.153:53 | tcp | |
| US | 8.8.8.8:53 | stat-counter-3-1.bit | udp |
Files
memory/868-0-0x0000000000400000-0x0000000000458000-memory.dmp
memory/868-1-0x0000000002230000-0x0000000002231000-memory.dmp
memory/868-2-0x0000000000400000-0x0000000000458000-memory.dmp
memory/868-4-0x0000000002060000-0x0000000002061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\50FE.tmp
| MD5 | 0f09bcd355ac453606e8a2e953cd7c1e |
| SHA1 | 942cf739cca27ed8fd28d4b2c153033ffaa48e77 |
| SHA256 | 8843a2a66395fa409c66beacc3d2b928e2195a12827450f2d6381bfdf51595d0 |
| SHA512 | e187f068f8beb7b2d1a53222a290a02033a0806ae48479f8fc666e7578c6fd3e7e61cd3fb1748c61c42a2750e964731c4dc84e679da599122c63e8c7e9c550fc |
memory/868-10-0x00000000020B0000-0x0000000002119000-memory.dmp
memory/868-11-0x00000000020B0000-0x0000000002119000-memory.dmp
memory/868-13-0x0000000002120000-0x0000000002121000-memory.dmp
memory/868-12-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/868-19-0x0000000000400000-0x0000000000458000-memory.dmp
memory/868-20-0x00000000020B0000-0x0000000002119000-memory.dmp
memory/456-23-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/456-25-0x0000000000AE0000-0x0000000000B49000-memory.dmp
memory/456-24-0x0000000000AE0000-0x0000000000B49000-memory.dmp
C:\ProgramData\bnbcifpe\f96874fcb6f5
| MD5 | b53babc887877ce234cbe7f47ac11ebf |
| SHA1 | 287ebfbc09d4e7b0d26c7b0d463ff3d3385279e5 |
| SHA256 | c43f8c0a671c3d87d81cbba8edc57fa728bfd68897739de491d2fedacc202f9e |
| SHA512 | eb845fc70900050d6182a7b295a2022b89d07819bc797c97ebdfc4dfb52dd9e2dedd6b84be9b7e475a3e1254f29c99cac46ae1dad7833bd3d2c4fb4ac5f87103 |
C:\Users\Admin\AppData\Local\Temp\50FE.tmp
| MD5 | df832baef4c9a62a43fa19bac03ea73f |
| SHA1 | 1585e964afcc4ce759339c6f9cc6f5e3908f3bdc |
| SHA256 | e011cf5a1c3fa9ce3f192ef87247a14465b419f02cbebf342af661de66a6a33e |
| SHA512 | 74c593819860f1ab87a85a9a8b9efc6045179760ef781790583383413004ca069d8f6aa185275c0e4618dc44a24b1ab45624b5c3b601e233999bf8ea1e14e839 |
memory/456-37-0x0000000000AE0000-0x0000000000B49000-memory.dmp
memory/456-39-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/456-38-0x0000000000AE0000-0x0000000000B49000-memory.dmp
memory/456-40-0x0000000000AE0000-0x0000000000B49000-memory.dmp
memory/456-46-0x0000000000AE0000-0x0000000000B49000-memory.dmp