Analysis Overview
SHA256
d40dedd7f637a1ef9703b582a6d536469d1cf62bddc1a462a9cceeb7f9194f13
Threat Level: Known bad
The file 5e45692f423e4f683e1c246679e6d572_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Oski
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-20 00:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-20 00:10
Reported
2024-07-20 00:12
Platform
win7-20240704-en
Max time kernel
14s
Max time network
26s
Command Line
Signatures
Oski
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrmuim.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\chrmuim.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\chrmuim.exe
"C:\Users\Admin\AppData\Local\Temp\chrmuim.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 796
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | no1geekfun.com | udp |
| US | 199.188.206.41:80 | no1geekfun.com | tcp |
Files
memory/2172-0-0x000000007486E000-0x000000007486F000-memory.dmp
memory/2172-1-0x0000000001E20000-0x0000000001E5A000-memory.dmp
memory/2172-2-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/2172-3-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/2172-4-0x0000000002180000-0x00000000021BA000-memory.dmp
memory/2172-8-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-5-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-36-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-48-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-6-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-54-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-52-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-50-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-46-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-44-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-42-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-40-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-38-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-34-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-55-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/2172-56-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/2172-32-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-30-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-29-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-26-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-24-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-22-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-20-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-18-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-16-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-14-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-12-0x0000000002180000-0x00000000021B3000-memory.dmp
memory/2172-10-0x0000000002180000-0x00000000021B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\chrmuim.exe
| MD5 | 35958a7d85fc88a18f931ee14e6ec531 |
| SHA1 | 087fedd2ac4fe703da8ad32957998d1dffcb728b |
| SHA256 | 73fbf9c783b7e3a941837995f1a5181eca114e8923d6cc7ffb362ea88a8d0ba3 |
| SHA512 | de7cb672507d2c2c6de27301a36507939be19231ff97c1c062e2cfda354b4e89f42570f448f8f24e3d8714d6d651b484bc36a8f4dbd53c3e6b968ef002fdb489 |
memory/2172-67-0x0000000074860000-0x0000000074F4E000-memory.dmp
C:\ProgramData\msvcp140.dll
| MD5 | 19929e8cb6ec5435cc100aad83e093b4 |
| SHA1 | 715d72030ce455a2cd572329af98bbcd23ae52d4 |
| SHA256 | 2ecfda86ed6fad78f103aebe513ebc3258f07e37fd2fe9e2f16ebaf3324a38d8 |
| SHA512 | 4fedd91be1a51584f6165290e00f51ec21c496e962c3d65e8620b2098cdd0cb0a7da96a0774bda7d444f6a7598da39d556fcf75cc9eb396ac261a8b3f65b2320 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-20 00:10
Reported
2024-07-20 00:12
Platform
win10v2004-20240709-en
Max time kernel
145s
Max time network
142s
Command Line
Signatures
Oski
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrmuim.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\chrmuim.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3412 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\chrmuim.exe |
| PID 3412 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\chrmuim.exe |
| PID 3412 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\chrmuim.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\chrmuim.exe
"C:\Users\Admin\AppData\Local\Temp\chrmuim.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1360
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | no1geekfun.com | udp |
| US | 199.188.206.41:80 | no1geekfun.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.206.188.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3412-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/3412-1-0x0000000002320000-0x000000000235A000-memory.dmp
memory/3412-2-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3412-3-0x0000000004A40000-0x0000000004FE4000-memory.dmp
memory/3412-4-0x0000000002480000-0x00000000024BA000-memory.dmp
memory/3412-46-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-54-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-52-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-50-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-48-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-44-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-42-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-40-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-38-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-37-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-34-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-32-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-30-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-28-0x0000000002480000-0x00000000024B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrmuim.exe
| MD5 | 35958a7d85fc88a18f931ee14e6ec531 |
| SHA1 | 087fedd2ac4fe703da8ad32957998d1dffcb728b |
| SHA256 | 73fbf9c783b7e3a941837995f1a5181eca114e8923d6cc7ffb362ea88a8d0ba3 |
| SHA512 | de7cb672507d2c2c6de27301a36507939be19231ff97c1c062e2cfda354b4e89f42570f448f8f24e3d8714d6d651b484bc36a8f4dbd53c3e6b968ef002fdb489 |
memory/3412-26-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-24-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-19-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-16-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-12-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-10-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-9-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-5-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-22-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-64-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3412-20-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-14-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-6-0x0000000002480000-0x00000000024B3000-memory.dmp
memory/3412-66-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3412-67-0x0000000074E90000-0x0000000075640000-memory.dmp
C:\ProgramData\msvcp140.dll
| MD5 | 1945ddb3c17fc9de5f5adc73d9ca9c43 |
| SHA1 | bf8b1f894047c7efe8c9b8a5f0a6b6b19c0acb37 |
| SHA256 | 743b429dee9b576878c810fca44b8b5c73795c8bbe5e72b297a94fed0809270c |
| SHA512 | eb3134c6d61e070b0e6431143b64f30901f90110b6b985f07344d2a07a0e46d2f39640ad54d55ee9b15979483b99ea55deb6d8ff1c8d40a8e4f57a0bd3f4ac0b |