Analysis Overview
SHA256
4b9c61fa848816cfbce8f37df123cef7d797f90a9611fb3a973f389a6c46964e
Threat Level: Shows suspicious behavior
The file 0252fca26eb68158d368567026880343_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Deletes itself
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 13:16
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 13:16
Reported
2024-06-22 13:19
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\FG2Catch1.dll | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\ = "FCatchurl" | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ = "C:\\Windows\\SysWow64\\FG2Catch1.dll" | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2244 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2244 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2244 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\_delme.bat
Network
Files
memory/2244-0-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2244-1-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\SysWOW64\FG2Catch1.dll
| MD5 | a27846392dc10a7c5c5cde6406236bfe |
| SHA1 | 759f5fcb7ec5c617969f55c6a68e8efb506eabd8 |
| SHA256 | 11add83d3b4a164ad5e51c26902d0a0e015f0f65b4f4f93988939632f706ad8d |
| SHA512 | edaf420a4cd6804d3f424a282bd00df40ef4d15d34700bf0221b94f7e4c6193944295163365cec2e2114009a4f6044fa0962d3b25ee8fc8949a268c4d5ea8f5c |
memory/2244-17-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/2244-14-0x0000000001FA0000-0x0000000002027000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_delme.bat
| MD5 | 5b33305666b90e4b9a8b7b834797e8f2 |
| SHA1 | 79aa6d723af547a2514dcd7d2136ad84ed787c7c |
| SHA256 | e3a4dec6eba3f105f5099151d453851c24cc6e8975e2125d5400ac414fc0ab58 |
| SHA512 | f6446d893bc7d63b318782c5b54902bdbde8881ccf5fab800aab60f276c829260e80181dedac8a51c6873350fa022d9286624b39672190755720e6761847c043 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 13:16
Reported
2024-06-22 13:19
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\FG2Catch1.dll | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ = "C:\\Windows\\SysWow64\\FG2Catch1.dll" | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A} | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\ = "FCatchurl" | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3CDCA87-9BCA-4756-AF3E-BD7D17C4F69A}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 348 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 348 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 348 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0252fca26eb68158d368567026880343_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_delme.bat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
Files
memory/348-0-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/348-1-0x00000000007B0000-0x00000000007B1000-memory.dmp
C:\Windows\SysWOW64\FG2Catch1.dll
| MD5 | a27846392dc10a7c5c5cde6406236bfe |
| SHA1 | 759f5fcb7ec5c617969f55c6a68e8efb506eabd8 |
| SHA256 | 11add83d3b4a164ad5e51c26902d0a0e015f0f65b4f4f93988939632f706ad8d |
| SHA512 | edaf420a4cd6804d3f424a282bd00df40ef4d15d34700bf0221b94f7e4c6193944295163365cec2e2114009a4f6044fa0962d3b25ee8fc8949a268c4d5ea8f5c |
memory/348-13-0x0000000002430000-0x00000000024B7000-memory.dmp
memory/348-15-0x0000000000400000-0x00000000004E3000-memory.dmp
memory/348-14-0x0000000002430000-0x00000000024B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_delme.bat
| MD5 | 5b33305666b90e4b9a8b7b834797e8f2 |
| SHA1 | 79aa6d723af547a2514dcd7d2136ad84ed787c7c |
| SHA256 | e3a4dec6eba3f105f5099151d453851c24cc6e8975e2125d5400ac414fc0ab58 |
| SHA512 | f6446d893bc7d63b318782c5b54902bdbde8881ccf5fab800aab60f276c829260e80181dedac8a51c6873350fa022d9286624b39672190755720e6761847c043 |