Analysis Overview
SHA256
e17b42395fa01c19748960be047473e10a3ce9de5b60198bbb44035b6b10bb95
Threat Level: Shows suspicious behavior
The file a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 15:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1084 wrote to memory of 952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1084 wrote to memory of 952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1084 wrote to memory of 952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240221-en
Max time kernel
141s
Max time network
141s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitrope.com | udp |
| US | 54.161.222.85:80 | bitrope.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsiD2B.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
\Users\Admin\AppData\Local\Temp\nsiD2B.tmp\inetc.dll
| MD5 | 1fc1fbb2c7a14b7901fc9abbd6dbef10 |
| SHA1 | 4d9ed86f31075a3d3f674ff78f39c190a4098126 |
| SHA256 | 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e |
| SHA512 | 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2 |
\Users\Admin\AppData\Local\Temp\nsiD2B.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4484 wrote to memory of 3924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4484 wrote to memory of 3924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4484 wrote to memory of 3924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 211.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240611-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1732 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1732 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1732 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1732 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1732 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1732 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1732 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 232
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 700 wrote to memory of 1360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 700 wrote to memory of 1360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 700 wrote to memory of 1360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1360 -ip 1360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe
"C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe"
Network
Files
memory/3344-1-0x0000000000BA0000-0x0000000000C2A000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240220-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe
"C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe"
Network
Files
memory/840-0-0x00000000747C1000-0x00000000747C2000-memory.dmp
memory/840-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp
memory/840-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp
memory/840-3-0x00000000747C0000-0x0000000074D6B000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 220
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240611-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 240
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe
"C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe"
Network
Files
memory/2820-0-0x0000000000300000-0x000000000038A000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 884 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 884 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 884 wrote to memory of 3500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3500 -ip 3500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 624
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe
"C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2608-0-0x0000000074822000-0x0000000074823000-memory.dmp
memory/2608-1-0x0000000074820000-0x0000000074DD1000-memory.dmp
memory/2608-2-0x0000000074820000-0x0000000074DD1000-memory.dmp
memory/2608-4-0x0000000074820000-0x0000000074DD1000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
130s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitrope.com | udp |
| US | 52.86.6.113:80 | bitrope.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 113.6.86.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsv3B64.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsv3B64.tmp\inetc.dll
| MD5 | 1fc1fbb2c7a14b7901fc9abbd6dbef10 |
| SHA1 | 4d9ed86f31075a3d3f674ff78f39c190a4098126 |
| SHA256 | 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e |
| SHA512 | 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2 |
C:\Users\Admin\AppData\Local\Temp\nsv3B64.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe"
C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
.\installer.exe
C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe
C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe husertype=Admin
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | flow.lavasoft.com | udp |
| US | 8.8.8.8:53 | flow.lavasoft.com | udp |
Files
\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
| MD5 | 79e0c128a1ebbf0de98f4bd18c523f70 |
| SHA1 | 53541473d3f27066170452e95da8516e39f1c947 |
| SHA256 | a230720e5a75d7ee763b9f740e51fd2a3e5d29f9c053e9f9c7f2814718a5dd7b |
| SHA512 | 166fb07d17a34e07ea90e75f41d5db4ee292c487798bbc286e6b3778c8049942026a205443caa5c5763b3ea890dc1956a584e687564d017db0ed3d0bf93e76ca |
C:\Users\Admin\AppData\Local\Temp\7zS84652936\BundleConfig.xml
| MD5 | c0a417b3394c1f645bde55008662cf86 |
| SHA1 | b9034daf2a7080cb7ebf57e33f3867202fe2d4e9 |
| SHA256 | 35a59daed91192145f06fbeda58938613ada800027008566fd15446cdd4ebd9d |
| SHA512 | 47324c80eb0f8076287bf4fb7e5ea543ebedc654190d543416d20037ccb1b0163a122d3dab6b83ea450545cd76b76589f8a53af3eff3da4d77682c0906d23c14 |
C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe.config
| MD5 | 40e903f70b1412febaa4b889092bdd4f |
| SHA1 | 636fbfebf16dbb61be458614295d715783d06744 |
| SHA256 | d335033bc27c28ae3a4e22313d4c26f9b3f6b78c44acef4a2d8ba3c5a5d9f9a1 |
| SHA512 | c1defae5579282facdf91396a8ef2da299f1860580cf804a30b939fddebbfa75327ff82dbe1aa2c302303de963248eee73c2524c36ee39a651502fcff4aefc60 |
\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe
| MD5 | a9aa4270caa788444d552f2d3578e539 |
| SHA1 | bf9f679b34742698ba5321f257522c88f61c6e38 |
| SHA256 | 347ed24929f54062ef229bad598f5184ed3d601de3f3da8912c6c964c57100c1 |
| SHA512 | 39c9bd2f323b2a4c9470a1e3d52259389fb3f97cd6c37ab4732a002cdda68a40385fdc055982600259b08d84d1fb79da7b5a71758ec7a595bf5b8eccc28e5ea1 |
C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe.config
| MD5 | 76ef253427ea5f0150850f4197ad39ff |
| SHA1 | fd19dbbb2013d42993205a4d2a4c0ee574c62f77 |
| SHA256 | efa7b32246dc3bf588454d629695f4a7f292d95ce42c927584e62facfffef062 |
| SHA512 | 5a0e913f98b4ddf9a63f6ba33b07705cb946151067252c5f6e49ab66c94d423bee9f84d9b732ff0df77fb7cd0f058de0d001bba81bfec88e2307cac4ce33123a |
memory/1192-39-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp
memory/1192-41-0x0000000000260000-0x0000000000270000-memory.dmp
memory/1192-43-0x0000000001E50000-0x0000000001EB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS84652936\DevLib.dll
| MD5 | 6ef90166cd0485d28f9041d95c1893a9 |
| SHA1 | be16f54ff32b3a15fc8ee22fa8cdcf783c196c9b |
| SHA256 | b1e20529054b4f884e6e60eb0159a38520a36d90a57f3384e12f7f4351ea2ebe |
| SHA512 | cd849a4555bec3befd78ca5ce582e899fe08d75093a6e69f6ce1de1081471a4f9aba912a8ee5947a9ff6b29a25f403058ba22c32adbdd6b05ff014ff7d65a75a |
memory/1192-44-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
memory/1192-49-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp
memory/1192-50-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 15:05
Reported
2024-06-13 15:08
Platform
win10v2004-20240508-en
Max time kernel
40s
Max time network
49s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe | N/A |
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4696 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe |
| PID 4696 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe |
| PID 4696 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe |
| PID 1276 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe |
| PID 1276 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe | C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe"
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe
.\installer.exe
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe husertype=Admin
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | flow.lavasoft.com | udp |
| US | 8.8.8.8:53 | flow.lavasoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe
| MD5 | 79e0c128a1ebbf0de98f4bd18c523f70 |
| SHA1 | 53541473d3f27066170452e95da8516e39f1c947 |
| SHA256 | a230720e5a75d7ee763b9f740e51fd2a3e5d29f9c053e9f9c7f2814718a5dd7b |
| SHA512 | 166fb07d17a34e07ea90e75f41d5db4ee292c487798bbc286e6b3778c8049942026a205443caa5c5763b3ea890dc1956a584e687564d017db0ed3d0bf93e76ca |
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\BundleConfig.xml
| MD5 | c0a417b3394c1f645bde55008662cf86 |
| SHA1 | b9034daf2a7080cb7ebf57e33f3867202fe2d4e9 |
| SHA256 | 35a59daed91192145f06fbeda58938613ada800027008566fd15446cdd4ebd9d |
| SHA512 | 47324c80eb0f8076287bf4fb7e5ea543ebedc654190d543416d20037ccb1b0163a122d3dab6b83ea450545cd76b76589f8a53af3eff3da4d77682c0906d23c14 |
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe.config
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe
| MD5 | a9aa4270caa788444d552f2d3578e539 |
| SHA1 | bf9f679b34742698ba5321f257522c88f61c6e38 |
| SHA256 | 347ed24929f54062ef229bad598f5184ed3d601de3f3da8912c6c964c57100c1 |
| SHA512 | 39c9bd2f323b2a4c9470a1e3d52259389fb3f97cd6c37ab4732a002cdda68a40385fdc055982600259b08d84d1fb79da7b5a71758ec7a595bf5b8eccc28e5ea1 |
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe.config
| MD5 | 2820f49b45395438974338a7a065045d |
| SHA1 | 6a1ebc8205ed8a3b395f30f39b1265185307a9a2 |
| SHA256 | 11a89337357b8b40b8c577e30e342b4840229fa098e3aab8c512d07364dfe66c |
| SHA512 | de04ece30e952206376e30b04e7e623668f83e2614199d640d0a328fca9515b80fb58086ddb6d1d32c445573e7fa965df32625e9ebd16536089c1fa6a1ba3633 |
memory/3184-36-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS852470C7\DevLib.dll
| MD5 | 6ef90166cd0485d28f9041d95c1893a9 |
| SHA1 | be16f54ff32b3a15fc8ee22fa8cdcf783c196c9b |
| SHA256 | b1e20529054b4f884e6e60eb0159a38520a36d90a57f3384e12f7f4351ea2ebe |
| SHA512 | cd849a4555bec3befd78ca5ce582e899fe08d75093a6e69f6ce1de1081471a4f9aba912a8ee5947a9ff6b29a25f403058ba22c32adbdd6b05ff014ff7d65a75a |
memory/3184-38-0x0000000000EB0000-0x0000000000EC0000-memory.dmp
memory/3184-40-0x000000001B9C0000-0x000000001BA28000-memory.dmp
memory/3184-41-0x000000001BE30000-0x000000001BE80000-memory.dmp
memory/3184-46-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
memory/3184-47-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp
memory/3184-48-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp