Analysis Overview
SHA256
059a6f40fe160942e7598bce26e5e73667d1643b4c0856e93c7dcca8be48615f
Threat Level: Shows suspicious behavior
The file c0821545051628d57f958ae8b43ffd7b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 10:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:12
Platform
win7-20240708-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe |
| PID 1720 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe |
| PID 1720 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe |
| PID 1720 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe"
Network
Files
memory/1720-0-0x000007FEF641E000-0x000007FEF641F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4.exe
| MD5 | 4aac6d159f0d97f74c780e79a75d82df |
| SHA1 | 15b881b9dac6f4be349d11ca3d2344bf039a42cd |
| SHA256 | 29b05d5c1cf5abae6daeb8a6d754dc85b734071c4ddace95d5519a4e83529ae9 |
| SHA512 | 37211dba03c6113e33181add19e47fb67643606a78759228294d5c185afe3021abf2ac6a5dea03df5db4bbe19020c24c8ac4077efb0f31106d209dd084c8ad99 |
memory/1720-8-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/1972-11-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1720-10-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/1720-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp
memory/1972-14-0x0000000000400000-0x0000000000441000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:12
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
107s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4400 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe |
| PID 4400 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe |
| PID 4400 wrote to memory of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0821545051628d57f958ae8b43ffd7b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4400-0-0x00007FFA93EB5000-0x00007FFA93EB6000-memory.dmp
memory/4400-1-0x00007FFA93C00000-0x00007FFA945A1000-memory.dmp
memory/4400-2-0x000000001BD50000-0x000000001C21E000-memory.dmp
memory/4400-3-0x000000001C2D0000-0x000000001C376000-memory.dmp
memory/4400-5-0x000000001C470000-0x000000001C50C000-memory.dmp
memory/4400-4-0x00007FFA93C00000-0x00007FFA945A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\8.exe
| MD5 | 4aac6d159f0d97f74c780e79a75d82df |
| SHA1 | 15b881b9dac6f4be349d11ca3d2344bf039a42cd |
| SHA256 | 29b05d5c1cf5abae6daeb8a6d754dc85b734071c4ddace95d5519a4e83529ae9 |
| SHA512 | 37211dba03c6113e33181add19e47fb67643606a78759228294d5c185afe3021abf2ac6a5dea03df5db4bbe19020c24c8ac4077efb0f31106d209dd084c8ad99 |
memory/3552-10-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4400-14-0x00007FFA93C00000-0x00007FFA945A1000-memory.dmp
memory/3552-15-0x0000000000400000-0x0000000000441000-memory.dmp