Analysis Overview
SHA256
ceffd78a821d7cc8108d59cd70b2c4ac0d96602f0cf32269679d22b54718a8fd
Threat Level: Shows suspicious behavior
The file 05d7368f45843a53ea250260a936020b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
ASPack v2.12-2.42
Adds Run key to start application
Checks installed software on the system
Drops file in Windows directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-24 00:44
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 00:44
Reported
2024-06-24 00:47
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNShell.exe" | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\msnshell.UNinstall.exe | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\msnshell.UNinstall.exe | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/4684-0-0x0000000000970000-0x0000000000971000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mlng_EN.ini
| MD5 | aa5a931a734ad85b7c149b04dc018350 |
| SHA1 | 510b5e19914944a012f14295137f056012213f22 |
| SHA256 | 187ee03ff858418849fc4dedc1ae6ad5a8d1778a3da6a26fea1a44517c9ecb34 |
| SHA512 | f165f6292643e695831fabc9efc1c2f3855d294a3ad54ef745eeece6298d4d5b52210a3950c751b26c933abc2abd48d3ef504a596a9e932f69901d73187731f1 |
C:\Users\Admin\AppData\Local\Temp\shell.ini
| MD5 | 6155652e608cfbcf3a6c23ed9b7ccd21 |
| SHA1 | 96e6110dd1f7991bfc4f4d4b967e36dc14e1858d |
| SHA256 | bff01dd0bbe7d995c5ba9f90027c08f2deb8f81dfa8b5e9628208d015cb2d872 |
| SHA512 | ad101c5cd7d2d2443207ff282ae0d6f240e07f1b32873ff2d710d85df90119c9be1a7054a7bc6a687547190b38ee45ef15443571acb12272d0c5f3d6275dec79 |
C:\Users\Admin\AppData\Local\Temp\msnshell.dll
| MD5 | e5cb5db431e05f9cbb240dde14d047ca |
| SHA1 | 4b4534ddbd0342feebf0b5dbb4cd0aae5f8b2468 |
| SHA256 | 124bd8133828e88e461b4423966cd83d68427d526e80b38a0a20dc13db343e73 |
| SHA512 | 189ae327bed1d1b9a2f5a6f5b49e723b385f64c018bcf490aa30fd91ccd836b5087253df92d1fb9f4ba09802d27da2ccba8fe24c67528bd6f0b3c7479aece4dc |
memory/4684-33-0x00000000048D0000-0x0000000004AB6000-memory.dmp
memory/4684-42-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-43-0x00000000048D0000-0x0000000004AB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mlng_GB.ini
| MD5 | 45372c4acb71f52149864766ed8b21ff |
| SHA1 | 48a1519c789891c1295cdc7c58696a1b8f5907af |
| SHA256 | 6a0fd22eb05670716627d24db26e0efe39a8f6802d302bdfa187a0d627474a7a |
| SHA512 | 9c2cdf48f05c220dd679c415b0f20cd148450cebbba926fdf22687d7ecddb73f16077cdc1cf76088e9c20739e46f43cff841b080bf90bb24593df0ddf0735522 |
memory/4684-53-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-55-0x0000000000970000-0x0000000000971000-memory.dmp
memory/4684-65-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-66-0x00000000048D0000-0x0000000004AB6000-memory.dmp
memory/4684-76-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-87-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-98-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-118-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-129-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-140-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-151-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-162-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-173-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-184-0x0000000000400000-0x0000000000677000-memory.dmp
memory/4684-195-0x0000000000400000-0x0000000000677000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 00:44
Reported
2024-06-24 00:47
Platform
win7-20240220-en
Max time kernel
142s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSNShell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSNShell.exe" | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\msnshell.UNinstall.exe | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\msnshell.UNinstall.exe | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05d7368f45843a53ea250260a936020b_JaffaCakes118.exe"
Network
Files
memory/1976-2-0x0000000000220000-0x0000000000221000-memory.dmp
\Users\Admin\AppData\Local\Temp\msnshell.dll
| MD5 | e5cb5db431e05f9cbb240dde14d047ca |
| SHA1 | 4b4534ddbd0342feebf0b5dbb4cd0aae5f8b2468 |
| SHA256 | 124bd8133828e88e461b4423966cd83d68427d526e80b38a0a20dc13db343e73 |
| SHA512 | 189ae327bed1d1b9a2f5a6f5b49e723b385f64c018bcf490aa30fd91ccd836b5087253df92d1fb9f4ba09802d27da2ccba8fe24c67528bd6f0b3c7479aece4dc |
C:\Users\Admin\AppData\Local\Temp\mlng_EN.ini
| MD5 | aa5a931a734ad85b7c149b04dc018350 |
| SHA1 | 510b5e19914944a012f14295137f056012213f22 |
| SHA256 | 187ee03ff858418849fc4dedc1ae6ad5a8d1778a3da6a26fea1a44517c9ecb34 |
| SHA512 | f165f6292643e695831fabc9efc1c2f3855d294a3ad54ef745eeece6298d4d5b52210a3950c751b26c933abc2abd48d3ef504a596a9e932f69901d73187731f1 |
C:\Users\Admin\AppData\Local\Temp\shell.ini
| MD5 | 6155652e608cfbcf3a6c23ed9b7ccd21 |
| SHA1 | 96e6110dd1f7991bfc4f4d4b967e36dc14e1858d |
| SHA256 | bff01dd0bbe7d995c5ba9f90027c08f2deb8f81dfa8b5e9628208d015cb2d872 |
| SHA512 | ad101c5cd7d2d2443207ff282ae0d6f240e07f1b32873ff2d710d85df90119c9be1a7054a7bc6a687547190b38ee45ef15443571acb12272d0c5f3d6275dec79 |
memory/1976-33-0x00000000031B0000-0x0000000003396000-memory.dmp
memory/1976-41-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-42-0x00000000031B0000-0x0000000003396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mlng_GB.ini
| MD5 | 45372c4acb71f52149864766ed8b21ff |
| SHA1 | 48a1519c789891c1295cdc7c58696a1b8f5907af |
| SHA256 | 6a0fd22eb05670716627d24db26e0efe39a8f6802d302bdfa187a0d627474a7a |
| SHA512 | 9c2cdf48f05c220dd679c415b0f20cd148450cebbba926fdf22687d7ecddb73f16077cdc1cf76088e9c20739e46f43cff841b080bf90bb24593df0ddf0735522 |
memory/1976-52-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-54-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1976-64-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-75-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-86-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-97-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-117-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-128-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-139-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-150-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-161-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-172-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-183-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1976-194-0x0000000000400000-0x0000000000677000-memory.dmp