Analysis Overview
SHA256
7fdbd3e7a891eb6dded35fd2d2481adce7fcbb7dbe8a87696be1780f7b41fac9
Threat Level: Known bad
The file 0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-25 23:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 23:53
Reported
2024-06-25 23:55
Platform
win7-20240221-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1504 set thread context of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp | |
| NL | 74.119.195.40:80 | tcp |
Files
memory/1504-2-0x00000000003B0000-0x00000000003F5000-memory.dmp
memory/1504-1-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/1948-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1948-5-0x0000000000400000-0x0000000000449000-memory.dmp
memory/1948-8-0x0000000000400000-0x0000000000449000-memory.dmp
memory/1948-7-0x0000000000400000-0x0000000000449000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 1207bc197a1ebd72a77f1a771cad9e52 |
| SHA1 | 8ed121ff66d407150d7390b9276fe690dd213b27 |
| SHA256 | 260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476 |
| SHA512 | d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4 |
memory/1948-14-0x0000000000400000-0x0000000000449000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 23:53
Reported
2024-06-25 23:55
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4132 set thread context of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ffe2e52a11e7a7e8261b7f87a1fe7d6_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1496
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/4132-2-0x0000000000680000-0x00000000006C5000-memory.dmp
memory/4132-1-0x0000000000730000-0x0000000000830000-memory.dmp
memory/1756-3-0x0000000000400000-0x0000000000449000-memory.dmp
memory/1756-5-0x0000000000400000-0x0000000000449000-memory.dmp
memory/1756-6-0x0000000000400000-0x0000000000449000-memory.dmp