Malware Analysis Report

2025-04-13 21:40

Sample ID 240825-lkfetsyglk
Target c07392e48322e4efde24d759d27262f5_JaffaCakes118
SHA256 517dc10df7fda0b7334a76c8e34d638562f32f724e45f8f8e91f7729c6c41f2a
Tags
discovery
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

517dc10df7fda0b7334a76c8e34d638562f32f724e45f8f8e91f7729c6c41f2a

Threat Level: Likely benign

The file c07392e48322e4efde24d759d27262f5_JaffaCakes118 was found to be: Likely benign.

Malicious Activity Summary

discovery

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

NSIS installer

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:35

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_3_.exe

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\21418.bat" "C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\E2DA58CC4D534A7E8CDFA5BBC2B03CEF_LogFile.txt

MD5 7eca8d501b76136dc225b7abefeee71d
SHA1 2275684e9fd3cbb616c15475a8b36c594e80e7c7
SHA256 7d5ba1a7e013f87e163ded99841cac8675938a4a0773e3367dfc51b8fdbdda32
SHA512 737f58572eca89cb27532c276b1df8429feaa9c48a185bbecfa79e29c1f20ac1d037b87f51744cabd6e794db937bfe4de53afdfaa02d4950f458251048a84d01

memory/2536-63-0x00000000003B0000-0x00000000003B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21418.bat

MD5 739fcc7ba42b209fe44bea47e7a8c48f
SHA1 bc7a448a7c018133edcf012bc94301623eb42c5b
SHA256 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA512 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\E2DA58~1.TXT

MD5 e601af37807d546eee4dd3119284cbdc
SHA1 9a20ff25c4c9da753d86ebb8d4f30c0e427d003a
SHA256 fa88d98f040461e359972962a8d4d149ca6c8a4c0044df3a6446b3d57f4e2813
SHA512 4634839e7582ca3c8e89dc01d95318b491a8d746779e33ae361014e2cf40c6c6549ccd8bef9ccca8ecb786eb0f906de3d27fd2bbd637467adb3997bee70b9deb

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_3_.exe

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11104.bat" "C:\Users\Admin\AppData\Local\Temp\6B72DFDC7AFF47FB929B76C6203EE359\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 log.web-installer-assets.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\6B72DFDC7AFF47FB929B76C6203EE359\6B72DFDC7AFF47FB929B76C6203EE359_LogFile.txt

MD5 a987b94b705ae3c010b72e13cf33ef92
SHA1 d0d833b418a3d4f7c31e2bf82390532b4c867e13
SHA256 b69f22a3758b3e7d07a9a9f4509e1446242247225fc0ca8c6d646920bced0c6a
SHA512 cd71eece0f6abf00fd5801d1dd162ef757cb2fbf3aee1f1a57e3f3910cc59774c4eb9a526a4e22d6b82b282f6522529e7e50ae6966f3bd81e722fa51b6bf66f6

C:\Users\Admin\AppData\Local\Temp\11104.bat

MD5 739fcc7ba42b209fe44bea47e7a8c48f
SHA1 bc7a448a7c018133edcf012bc94301623eb42c5b
SHA256 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA512 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

C:\Users\Admin\AppData\Local\Temp\6B72DFDC7AFF47FB929B76C6203EE359\6B72DF~1.TXT

MD5 edd0c0c692a4b46006e1fb1c167d571a
SHA1 29f6c045b1299c775e9385394f1689073393265d
SHA256 8c6a6915fe9766b07cfe223a5c0555ed51b6932b3cf3f63aedc9218158d56e0d
SHA512 4f5a4d057c7e6560297a81dccbabcab8cf34627bfbc1963f613796ab0695ff9836af6b1f22dfc06eb125edf8db11efa4d0e08fa54943fcba462837bdc543f481

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win7-20240708-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 2116 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 2116 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 2116 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 2116 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 2116 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 2116 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 2132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1732 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1732 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1732 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp/fallbackfiles/'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\""

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

MD5 77bfacca17ee1d89833b57f3a746d9a0
SHA1 aa9490c913489c5eafd02f67f875efcb56d23036
SHA256 38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA512 21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png

MD5 0a8589de904eec91522c276d896216c4
SHA1 58ba5e9158c3afa3c3112fe1e24567996794c07e
SHA256 496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55
SHA512 bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico

MD5 592abe695d3fb84c8a7589b0d2553a97
SHA1 d70d6de6fa25ca1924bd02b84075ee94f3870133
SHA256 ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0
SHA512 a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt

MD5 2afa019ce5d278359bb1e6219932c2c3
SHA1 eef70003ddfce7fbf488d5ffa214bbb2c8584a7e
SHA256 3e6de7606e8b581b5672d3ff70594950aa76c4fe87d953093c9f4c806918d6f8
SHA512 89647f17b9341e3a43239f5f28d9382e1f00534e709854c3b9fb0c04f3e160c2fce49b34ec58aa9d0e262baae99c1669d61da61e53d044bf58010d5743a17165

C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt

MD5 c63d7b1e0809942e9ddcd4fa117a6dc1
SHA1 031c37fe44803015210b3437a4a88e15eba1a009
SHA256 2942e34dfe53a45c358a0a2c793bab1446ee9997f638c70b67b78f671847c396
SHA512 2922532c93adf94959e886234f535434700f42ad5bd8857337b07886915c17e24aa5e9f2fb77f2562ff44c38b9c475d0b32816a8655163f5f2c8eba90b7b72ad

memory/2132-73-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\789.bat

MD5 739fcc7ba42b209fe44bea47e7a8c48f
SHA1 bc7a448a7c018133edcf012bc94301623eb42c5b
SHA256 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA512 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

memory/2116-276-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D~1.TXT

MD5 ebd9b0557293057bc6a1cd80ca1bcbf0
SHA1 113cbf031f612faaa4096dbba46f4d2af959d73c
SHA256 5df1a0cd7ff8b44f33ca817422bd85d17000c33d4eb972fe05502160dac4f5d0
SHA512 a51acff2c1003f6f64ca612c8ad340a9c827a752a3bf256c014fc4d1e74a11838ee9749e12dff3d2e9188e1b99531ead24d7f93d98ed571f8064b0fbe594609c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win10v2004-20240802-en

Max time kernel

84s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 4496 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 4496 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
PID 936 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1316 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1316 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nscBE22.tmp/fallbackfiles/'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\""

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 log.web-installer-assets.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

MD5 77bfacca17ee1d89833b57f3a746d9a0
SHA1 aa9490c913489c5eafd02f67f875efcb56d23036
SHA256 38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA512 21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\A8A835AC0247414D92C96EC2E92CE1E0_LogFile.txt

MD5 833860e26b3f534723d959ea629b6bc8
SHA1 694111dc04e95081722cfe2e997db698051793e5
SHA256 4a5b2f001c920a5e04e242860391df15f6e78fd4d0b3d2a5f419a4d1636805c4
SHA512 6aa92e450d4517ceb3b03a2c321cd300d713109a8e9587348e5059363691058cb05c793b8dc2be7187329dee4c1d3a50ca61f0a8a61746896d70540092bcf50f

C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico

MD5 592abe695d3fb84c8a7589b0d2553a97
SHA1 d70d6de6fa25ca1924bd02b84075ee94f3870133
SHA256 ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0
SHA512 a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

C:\Users\Admin\AppData\Local\Temp\nscBE22.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png

MD5 0a8589de904eec91522c276d896216c4
SHA1 58ba5e9158c3afa3c3112fe1e24567996794c07e
SHA256 496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55
SHA512 bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

memory/4496-268-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\789.bat

MD5 739fcc7ba42b209fe44bea47e7a8c48f
SHA1 bc7a448a7c018133edcf012bc94301623eb42c5b
SHA256 69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA512 2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

C:\Users\Admin\AppData\Local\Temp\A8A835AC0247414D92C96EC2E92CE1E0\A8A835~1.TXT

MD5 0bad3d097a9fad0fc4281cf3ae1e1f3d
SHA1 1c0cd92bd5ca94fdd96b9bb8796bc5c663b49686
SHA256 0720ac35aad0076731a380aac1ed36552f74727368398dc50a5cc8021354841d
SHA512 0da321014b0805335f82e8c351ce4a132066ac641091245f9a5a60b899bff538bd0aab0a0f7820c51838c3b97a21346f256a0560c0d56c4df2396853a3ddb4e7