Analysis Overview
SHA256
c6715ca98de9cdaf9e83c8b51d9e64ddbb17fdfb792dca1e8d5d90c167e8204d
Threat Level: Likely benign
The file c073afd8de644949c2c3598230216a66_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Checks computer location settings
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:38
Platform
win7-20240705-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\""
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\1768DDFB6C12481E9E8B48DF4F206E6D_LogFile.txt
| MD5 | 0afbd43579a9c07b24bfd1df3d9c5a91 |
| SHA1 | bd4719178500e5e0e0cae4747a16fba9effef5ac |
| SHA256 | 1bdbe06decceca9523823f1c9b2c34d1656152124ab4321888eada132e764f61 |
| SHA512 | 4ff63efd5f820a5c5266a16c57f752ad074707680cf6036d1d812f12d7b39a9898ab9dc6c01e93aa164fa3399887898e6c7fa4ca199d60901bd138dfd4e779a4 |
memory/2772-65-0x0000000000470000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\24436.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\1768DD~1.TXT
| MD5 | 80224460f59b41e96bcdc2f61f2cf089 |
| SHA1 | a974c29bfc8c4ae9b6baaa900e4b71ebb2eed947 |
| SHA256 | 39133a3ef8637bd48a9f2ff3a1c43c50de7f975bf3d073a0940097f8be6a8166 |
| SHA512 | ce4d33895be10f3c0f29e5b08f924b40c11cfbfd54f39333b176d1631bd1c38f304fdf40126d15e782c406bd2b912514fb477b9440d54ac22d185223d372f1fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:38
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
109s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3292 wrote to memory of 3540 | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3292 wrote to memory of 3540 | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3292 wrote to memory of 3540 | N/A | C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3540 wrote to memory of 1676 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 3540 wrote to memory of 1676 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 3540 wrote to memory of 1676 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\""
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt
| MD5 | c0e2005d15ca85b8b0032b5939cc5655 |
| SHA1 | 953ef2d872ffd164142665d3e076d0a55127ef3f |
| SHA256 | 17367c28e010e828dc6aa1abf73d86136e0b2e33ce886f09365e950955a98ce3 |
| SHA512 | 69642555cbea5de86d600bab7b63b0b0e92fbacf8e986711a4b2004c2696912fc15d149c7c9d011b46ae3e3aba4852d9b791c07fb1f76b9c9c685aeb78a43e74 |
C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B2517D336446EA6E60634CA52CA0E_LogFile.txt
| MD5 | 82902efa5f6150b52a85cf3bbdf1571a |
| SHA1 | 6a001febc1a27a38180f8379447ef48b87b5a51f |
| SHA256 | 1b63b6faf31df104a1d46a542bba5f9ac1364017470805afb3cfad52ac898b30 |
| SHA512 | 5e4c5b5ab82fb96699129c95b2d709ccc4a58b14f6acc52afbeedd099d558591fba269c2316da63ae2ee2173b9f674624ed89c48473202d524f6dd8ad2dd2631 |
memory/3292-63-0x0000000003AD0000-0x0000000003AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\24436.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\530B2517D336446EA6E60634CA52CA0E\530B25~1.TXT
| MD5 | 1c84506eaaf182f37aae28bee14594f5 |
| SHA1 | 03f50088d9649b61ba4bdb9de5bad45847fd1ce1 |
| SHA256 | 4c074f3139d82b90a8235e788179e528b0fc636e1d04c3494976ecc6b01168fc |
| SHA512 | bf619e79adf529c77d34926af6fd9349aba81c4e25890ceba58599175fb9987b44e04c6acc5f8227467a0c95e662f458fa4b6a36351ce9e05a0a1d59ec485bad |