Analysis Overview
SHA256
071820da24f6b704ce6356e79ded9baad1acaa5e400fb8727c33bae6aa6f7a2f
Threat Level: Known bad
The file 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger payload
Snake Keylogger
Loads dropped DLL
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 10:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 10:15
Reported
2024-07-09 12:52
Platform
win10v2004-20240704-en
Max time kernel
94s
Max time network
99s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 764 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe |
| PID 764 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe |
| PID 764 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1016
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsc5763.tmp\sixepu.dll
| MD5 | 040853f7eb99fcc82ea269734850785e |
| SHA1 | 8f18a3e2d9349d60de78194fcb62b7775cd297d6 |
| SHA256 | 0f68d5467617881e66690c950d2d2f409129662d2f78d6b648a2e2bf89bf33c0 |
| SHA512 | cf5cd1fc536cec5d2c9735ad8129dd7990ef998403dd171bb5daf4b6d468beeb1d4a264124c701e57a89103231273b577e2a3858cd056182739e384395c56b6b |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 10:15
Reported
2024-07-09 12:52
Platform
win7-20240704-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 248
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-09 10:15
Reported
2024-07-09 12:52
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3560 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3560 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\sixepu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3648 -ip 3648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 692
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 10:15
Reported
2024-07-09 12:52
Platform
win7-20240708-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 548
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsoC15D.tmp\sixepu.dll
| MD5 | 040853f7eb99fcc82ea269734850785e |
| SHA1 | 8f18a3e2d9349d60de78194fcb62b7775cd297d6 |
| SHA256 | 0f68d5467617881e66690c950d2d2f409129662d2f78d6b648a2e2bf89bf33c0 |
| SHA512 | cf5cd1fc536cec5d2c9735ad8129dd7990ef998403dd171bb5daf4b6d468beeb1d4a264124c701e57a89103231273b577e2a3858cd056182739e384395c56b6b |
memory/2176-8-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2176-10-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2176-11-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2240-12-0x00000000004C0000-0x00000000004C1000-memory.dmp