Analysis Overview
SHA256
78daa4154c6bb91605329f571b16f535fbf79a96a7da2e7b865674e7502a8b7e
Threat Level: Shows suspicious behavior
The file be7f584a3eca37e5216601d5f22cb427_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Mark of the Web detected: This indicates that the page was originally saved or cloned.
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-24 11:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-24 11:30
Reported
2024-08-24 11:32
Platform
win7-20240708-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Mark of the Web detected: This indicates that the page was originally saved or cloned.
| Description | Indicator | Process | Target |
| N/A | https://r01.ru/ | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\win32dlll.exe | C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fotinhacpp.pop3.ru | udp |
| RU | 31.177.80.144:80 | fotinhacpp.pop3.ru | tcp |
Files
C:\Windows\SysWOW64\win32dlll.exe
| MD5 | 7ef64b3be61dc28efc5fa9c8f01fc7e7 |
| SHA1 | bbbbcbb68de787ddfe8441ac3af8977f85a9cbb9 |
| SHA256 | c224fa97bbe7a8d420763b9abb51147f3d15758de62ba46bd4554afeb00fc42b |
| SHA512 | 32413693c385ca1fde133fc995001c990107acf4a1ec438c3a3e9d19f1d392cb8c936d94093045b05e98020341d411b1b4834c07cc25ee35541022803eae0ef1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-24 11:30
Reported
2024-08-24 11:32
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
Mark of the Web detected: This indicates that the page was originally saved or cloned.
| Description | Indicator | Process | Target |
| N/A | https://r01.ru/ | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\SysWOW64\win32dlll.exe | C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be7f584a3eca37e5216601d5f22cb427_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fotinhacpp.pop3.ru | udp |
| RU | 31.177.76.144:80 | fotinhacpp.pop3.ru | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.76.177.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\win32dlll.exe
| MD5 | 7ef64b3be61dc28efc5fa9c8f01fc7e7 |
| SHA1 | bbbbcbb68de787ddfe8441ac3af8977f85a9cbb9 |
| SHA256 | c224fa97bbe7a8d420763b9abb51147f3d15758de62ba46bd4554afeb00fc42b |
| SHA512 | 32413693c385ca1fde133fc995001c990107acf4a1ec438c3a3e9d19f1d392cb8c936d94093045b05e98020341d411b1b4834c07cc25ee35541022803eae0ef1 |