Analysis Overview
SHA256
8b3ace7bcab1a2f43c113d28589fae793f42e08c11f83c7c1d5d9b25b3453cbd
Threat Level: Known bad
The file 3c66b48677763dc430eab0ff520ea994_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
HawkEye
Deletes itself
Reads data files stored by FTP clients
Reads local data of messenger clients
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-12 07:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-12 07:02
Reported
2024-07-12 07:04
Platform
win7-20240705-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
HawkEye
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| File opened for modification | C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 2400 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 2400 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| NL | 142.250.102.108:587 | smtp.gmail.com | tcp |
| NL | 142.250.102.108:587 | smtp.gmail.com | tcp |
Files
memory/2400-0-0x000007FEF698E000-0x000007FEF698F000-memory.dmp
memory/2400-1-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 3c66b48677763dc430eab0ff520ea994 |
| SHA1 | 943fcdb5200cf00741556744e052923d6c2211eb |
| SHA256 | 8b3ace7bcab1a2f43c113d28589fae793f42e08c11f83c7c1d5d9b25b3453cbd |
| SHA512 | 395a4308343e27311db4fb8b8849a5cd8b4ed761f56eff09a3c300b6772f09923ca106bddbe27c1fdb35c3aaf7dc2c5478a4cfe035ce55d391a6ba15e272c342 |
memory/2400-10-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-11-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-9-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/2400-7-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 021defbbbdc6be30f5d0d09dd3298b69 |
| SHA1 | a67a796ea5be566a2fc29dda6f43aea254630888 |
| SHA256 | f962c3155271ed48f41467d59193723c13ac2e76068736b84d2c5bf201c10829 |
| SHA512 | 318c9d6a6d4254175832278fd64c7e12285b21a6ab73e6a9ead1d5345d05a8e97f9023b8bdad98945ce17d9b4b1a94d827049b154c0f54ff3d7661c5675c1ad1 |
memory/3056-15-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-16-0x0000000000B60000-0x0000000000B82000-memory.dmp
memory/3056-17-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-18-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-20-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-21-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-22-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
memory/3056-23-0x000007FEF66D0000-0x000007FEF706D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-12 07:02
Reported
2024-07-12 07:04
Platform
win10v2004-20240709-en
Max time kernel
96s
Max time network
97s
Command Line
Signatures
HawkEye
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| File created | C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1668 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 1668 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c66b48677763dc430eab0ff520ea994_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| NL | 142.250.102.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | 109.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| NL | 142.250.102.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1668-0-0x00007FFC601C5000-0x00007FFC601C6000-memory.dmp
memory/1668-2-0x000000001C4A0000-0x000000001C96E000-memory.dmp
memory/1668-1-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
memory/1668-3-0x000000001CA20000-0x000000001CAC6000-memory.dmp
memory/1668-4-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 3c66b48677763dc430eab0ff520ea994 |
| SHA1 | 943fcdb5200cf00741556744e052923d6c2211eb |
| SHA256 | 8b3ace7bcab1a2f43c113d28589fae793f42e08c11f83c7c1d5d9b25b3453cbd |
| SHA512 | 395a4308343e27311db4fb8b8849a5cd8b4ed761f56eff09a3c300b6772f09923ca106bddbe27c1fdb35c3aaf7dc2c5478a4cfe035ce55d391a6ba15e272c342 |
memory/1668-18-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
memory/1296-19-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
memory/1296-20-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
memory/1296-21-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 021defbbbdc6be30f5d0d09dd3298b69 |
| SHA1 | a67a796ea5be566a2fc29dda6f43aea254630888 |
| SHA256 | f962c3155271ed48f41467d59193723c13ac2e76068736b84d2c5bf201c10829 |
| SHA512 | 318c9d6a6d4254175832278fd64c7e12285b21a6ab73e6a9ead1d5345d05a8e97f9023b8bdad98945ce17d9b4b1a94d827049b154c0f54ff3d7661c5675c1ad1 |
memory/1296-23-0x000000001C3F0000-0x000000001C452000-memory.dmp
memory/1296-26-0x000000001CB10000-0x000000001CBAC000-memory.dmp
memory/1296-27-0x000000001CAB0000-0x000000001CAD2000-memory.dmp
memory/1296-28-0x000000001CF10000-0x000000001CF18000-memory.dmp
memory/1296-29-0x000000001CE60000-0x000000001CEAC000-memory.dmp
memory/1296-30-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
memory/1296-31-0x00000000201C0000-0x00000000204CE000-memory.dmp
memory/1296-33-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp
memory/1296-34-0x00007FFC5FF10000-0x00007FFC608B1000-memory.dmp