Analysis Overview
SHA256
8e7e171f1f84d83de0e174bca33baf72289a7d90645d2079c26238e0dbbf18f7
Threat Level: Known bad
The file 108e9934b04e62f29361fa23c57023a2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
UPX packed file
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 03:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 03:21
Reported
2024-06-26 03:24
Platform
win7-20240508-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe" | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\mgking.exe | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mgking.exe | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgking0.dll | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mgking0.dll | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 100
Network
Files
memory/1932-1-0x0000000000400000-0x000000000049E000-memory.dmp
\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
| MD5 | 94f2f6ffbba8e7644668b51b39983916 |
| SHA1 | 63357bbdf90101969117983dbc0d4ed0e713c4d7 |
| SHA256 | ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed |
| SHA512 | d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156 |
memory/1932-19-0x0000000000401000-0x0000000000402000-memory.dmp
memory/1064-21-0x00000000024E0000-0x00000000024E1000-memory.dmp
\Windows\SysWOW64\mgking0.dll
| MD5 | 21c8f7083a59c407226363950804c4f8 |
| SHA1 | 8a6b1d0942afa365ab4b7cd0e82c13bd9cae2524 |
| SHA256 | 015fc0b2cdaf8c7f2fd3b0ee1a0e03e1c4589ef21c1781a60a8ce90a8e16bde5 |
| SHA512 | eb7253e85f77cc45c02bfbab25cd0324cc4b59d484bf8807561f69edfc69713330299308aace3ba3671b34bc9c852d42344d5f5c64181184f2f71bd7ced782f8 |
memory/1932-24-0x0000000010000000-0x0000000010084000-memory.dmp
memory/1932-25-0x0000000000400000-0x000000000049E000-memory.dmp
memory/1932-27-0x0000000010000000-0x0000000010084000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 03:21
Reported
2024-06-26 03:24
Platform
win10v2004-20240508-en
Max time kernel
80s
Max time network
90s
Command Line
Signatures
Ramnit
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe" | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\mgking.exe | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mgking.exe | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mgking0.dll | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mgking0.dll | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\WaterMark.exe | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\WaterMark.exe | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\px43EE.tmp | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe | N/A |
Program crash
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425533991" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3C07A3B1-336B-11EF-BA70-66D3FDB32ECD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\WaterMark.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1368 -ip 1368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4176 -ip 4176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1368 -ip 1368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1368 -ip 1368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 516
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
memory/1368-1-0x0000000000400000-0x000000000049E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
| MD5 | 94f2f6ffbba8e7644668b51b39983916 |
| SHA1 | 63357bbdf90101969117983dbc0d4ed0e713c4d7 |
| SHA256 | ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed |
| SHA512 | d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156 |
memory/1028-10-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1028-16-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1012-25-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/1028-17-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/4176-31-0x0000000000B70000-0x0000000000B71000-memory.dmp
memory/4176-30-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/1012-28-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1012-29-0x0000000077BB2000-0x0000000077BB3000-memory.dmp
memory/1028-9-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1028-8-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1028-7-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1028-6-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1028-5-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Windows\SysWOW64\mgking0.dll
| MD5 | 21c8f7083a59c407226363950804c4f8 |
| SHA1 | 8a6b1d0942afa365ab4b7cd0e82c13bd9cae2524 |
| SHA256 | 015fc0b2cdaf8c7f2fd3b0ee1a0e03e1c4589ef21c1781a60a8ce90a8e16bde5 |
| SHA512 | eb7253e85f77cc45c02bfbab25cd0324cc4b59d484bf8807561f69edfc69713330299308aace3ba3671b34bc9c852d42344d5f5c64181184f2f71bd7ced782f8 |
memory/1368-39-0x0000000010000000-0x0000000010084000-memory.dmp
memory/1368-40-0x0000000000400000-0x000000000049E000-memory.dmp
memory/1368-41-0x0000000010000000-0x0000000010084000-memory.dmp
memory/1012-43-0x0000000077BB2000-0x0000000077BB3000-memory.dmp
memory/1012-42-0x0000000000070000-0x0000000000071000-memory.dmp
memory/1012-44-0x0000000000400000-0x0000000000421000-memory.dmp