Analysis Overview
SHA256
c51d9653f562d303933325af00ec3c625e25cf90a4b28cf19d48f649c7629d80
Threat Level: Shows suspicious behavior
The file 0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
UPX packed file
AutoIT Executable
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 21:33
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 21:33
Reported
2024-06-23 21:36
Platform
win7-20240419-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\P.exe
C:\Users\Admin\AppData\Local\Temp/P.exe
C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe
C:\Users\Admin\AppData\Local\Temp/Paso5wrd.exe
Network
Files
memory/1576-0-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\P.exe
| MD5 | ac051026392a3ec7468a08a681eadb38 |
| SHA1 | 93e2fb65f049c3c8bf0354c371bf117ef422416c |
| SHA256 | 415b50da794354632adec5210abcf436106ec16babc4e6b33d319b98655e8083 |
| SHA512 | d44562dcec8d65eeac4593477c33a61d56504da5e30fa5a8c5a0e90ee2644e7b3d7f3ac1817786a8fb823c957105bc81e5a99ca3687bada118af2d44b36c5eac |
\Users\Admin\AppData\Local\Temp\Paso5wrd.exe
| MD5 | d0b5e23af0fc410b41450054e603dd2b |
| SHA1 | c16ea1b07278fb42703408e7a8353e633504c92a |
| SHA256 | 8546c7c53335031652597551d8d6b7bdc637127a5e9c242decb835d85e693b51 |
| SHA512 | 2b37430d8cc66821c59fce77acdda94c892a4cdf260fac0ce59c5b36cbd54f18934aab896d89f4a0f9b1f7879be10e54cd042396566284dd9ec1d45c709e91ce |
memory/1576-27-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/2612-28-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2612-39-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2612-40-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-41-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-42-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-43-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-44-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-45-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-46-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-47-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-48-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-49-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-50-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-51-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-52-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2612-53-0x0000000000400000-0x00000000004B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 21:33
Reported
2024-06-23 21:36
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
53s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0134862fee7bca8eb6abd2426af0df8f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\P.exe
C:\Users\Admin\AppData\Local\Temp/P.exe
C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe
C:\Users\Admin\AppData\Local\Temp/Paso5wrd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2204-0-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut48E0.tmp
| MD5 | ac051026392a3ec7468a08a681eadb38 |
| SHA1 | 93e2fb65f049c3c8bf0354c371bf117ef422416c |
| SHA256 | 415b50da794354632adec5210abcf436106ec16babc4e6b33d319b98655e8083 |
| SHA512 | d44562dcec8d65eeac4593477c33a61d56504da5e30fa5a8c5a0e90ee2644e7b3d7f3ac1817786a8fb823c957105bc81e5a99ca3687bada118af2d44b36c5eac |
C:\Users\Admin\AppData\Local\Temp\Paso5wrd.exe
| MD5 | d0b5e23af0fc410b41450054e603dd2b |
| SHA1 | c16ea1b07278fb42703408e7a8353e633504c92a |
| SHA256 | 8546c7c53335031652597551d8d6b7bdc637127a5e9c242decb835d85e693b51 |
| SHA512 | 2b37430d8cc66821c59fce77acdda94c892a4cdf260fac0ce59c5b36cbd54f18934aab896d89f4a0f9b1f7879be10e54cd042396566284dd9ec1d45c709e91ce |
memory/2204-20-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/1628-22-0x0000000002340000-0x0000000002341000-memory.dmp
memory/1628-31-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-32-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-33-0x0000000002340000-0x0000000002341000-memory.dmp
memory/1628-34-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-35-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-36-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-37-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-38-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-39-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-40-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-41-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-42-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-43-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-44-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1628-45-0x0000000000400000-0x00000000004B7000-memory.dmp