Analysis Overview
SHA256
45b183f3ab8e0ad421664b353e4951aa08d3f2e0ee0667a5b10d4dba5e5bb691
Threat Level: Known bad
The file 343a265bfdb9b15f6b99db339112d799_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 09:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 09:51
Reported
2024-07-10 09:59
Platform
win7-20240708-en
Max time kernel
119s
Max time network
145s
Command Line
Signatures
Snake Keylogger
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2052 set thread context of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uDmbaTfu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6BB.tmp"
C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1104
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
Files
memory/2052-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp
memory/2052-1-0x0000000001020000-0x00000000010D8000-memory.dmp
memory/2052-2-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2052-3-0x00000000005D0000-0x00000000005DA000-memory.dmp
memory/2052-4-0x0000000073F7E000-0x0000000073F7F000-memory.dmp
memory/2052-5-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2052-6-0x0000000004F10000-0x0000000004FA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA6BB.tmp
| MD5 | a8b25345b15a2ecf281db45129c85183 |
| SHA1 | a40b5b77147fa2ce2071b50936fff120e3144386 |
| SHA256 | e9125e08592fd9ea01729d4c1bb2d6e9ec90be5ff117d43d015e64c69767358b |
| SHA512 | 39a1f4bd579d624516fc0374cb4a6dc962fd138e95c874fd1fa1e7c224164e466db9b506020f1ec9110abd327f2ef6ebd499c7d35fdeb674e73e8019458b63f0 |
memory/2504-12-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2504-22-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2504-27-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2504-29-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2052-28-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2504-24-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2504-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2504-18-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2504-16-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2504-14-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2504-30-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2504-31-0x0000000073F70000-0x000000007465E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 09:51
Reported
2024-07-10 09:58
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
103s
Command Line
Signatures
Snake Keylogger
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 660 set thread context of 1596 | N/A | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uDmbaTfu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD32A.tmp"
C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1596 -ip 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1816
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/660-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp
memory/660-1-0x0000000000FF0000-0x00000000010A8000-memory.dmp
memory/660-2-0x0000000005980000-0x0000000005A1C000-memory.dmp
memory/660-3-0x0000000005FD0000-0x0000000006574000-memory.dmp
memory/660-4-0x0000000005A20000-0x0000000005AB2000-memory.dmp
memory/660-5-0x0000000005920000-0x000000000592A000-memory.dmp
memory/660-6-0x0000000005C50000-0x0000000005CA6000-memory.dmp
memory/660-7-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/660-8-0x0000000005C20000-0x0000000005C2A000-memory.dmp
memory/660-9-0x0000000074E0E000-0x0000000074E0F000-memory.dmp
memory/660-10-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/660-11-0x0000000006720000-0x00000000067B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD32A.tmp
| MD5 | 1bd269e9a33328a9325cdcfe20e83307 |
| SHA1 | 0690069d7498d23638453812c1ca8635c836bc63 |
| SHA256 | 1a3e457399584d872a3c85886ffbc1ecd918d72d5ebe3453dbd343c951b98f94 |
| SHA512 | da0779a8a693e73090b3db13f971c35762b89c2b8c5fb43d4788dd68fe9f5f643662efe7d8d68f9f03a93c75967ab2932493c7e064335d4a3953ddf92b3951ef |
memory/1596-17-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/660-21-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/1596-20-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/1596-22-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/1596-23-0x0000000006A50000-0x0000000006C12000-memory.dmp
memory/1596-24-0x0000000074E00000-0x00000000755B0000-memory.dmp