Analysis Overview
SHA256
97139bbaf34d92df333d9f791d12b11a8a273151edcaecb9ab7ec75bb034552f
Threat Level: Known bad
The file fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
Blocklisted process makes network request
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-27 08:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-27 08:56
Reported
2024-09-27 08:58
Platform
win7-20240903-en
Max time kernel
119s
Max time network
142s
Command Line
Signatures
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Huihifda = "C:\\Users\\Admin\\AppData\\Roaming\\Dadie\\obyc.exe" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2792 set thread context of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dasifosafjasfhasf.com | udp |
| US | 8.8.8.8:53 | kasfajfsafhasfhaf.com | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsjfdjsfh.com | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsdsjajjs.com | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsdsjajjs.com | udp |
| US | 3.94.10.34:443 | fdsjfjdsfjdsdsjajjs.com | tcp |
| US | 8.8.8.8:53 | idisaudhasdhasdj.com | udp |
| US | 34.211.97.45:443 | idisaudhasdhasdj.com | tcp |
| US | 8.8.8.8:53 | dsjdjsjdsadhasdas.com | udp |
| US | 35.164.78.200:443 | dsjdjsjdsadhasdas.com | tcp |
| US | 8.8.8.8:53 | dsdjfhdsufudhjas.com | udp |
| US | 8.8.8.8:53 | dsdjfhdsufudhjas.com | udp |
| US | 54.244.188.177:443 | dsdjfhdsufudhjas.com | tcp |
Files
memory/2792-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2792-3-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2792-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2792-1-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2792-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2792-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2604-6-0x0000000000090000-0x00000000000B8000-memory.dmp
memory/2604-7-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2604-8-0x0000000000090000-0x00000000000B8000-memory.dmp
memory/2792-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2604-12-0x0000000000090000-0x00000000000B8000-memory.dmp
memory/2604-13-0x0000000000090000-0x00000000000B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9530.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-27 08:56
Reported
2024-09-27 08:58
Platform
win10v2004-20240802-en
Max time kernel
99s
Max time network
100s
Command Line
Signatures
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ofceyh = "C:\\Users\\Admin\\AppData\\Roaming\\Ibuch\\caugdeah.exe" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1852 set thread context of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1852 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1852 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1852 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1852 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1852 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa1a19977598c3f020882a4fa32e04b7_JaffaCakes118.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dasifosafjasfhasf.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dasifosafjasfhasf.com | udp |
| US | 8.8.8.8:53 | dasifosafjasfhasf.com | udp |
| US | 8.8.8.8:53 | kasfajfsafhasfhaf.com | udp |
| US | 8.8.8.8:53 | kasfajfsafhasfhaf.com | udp |
| US | 8.8.8.8:53 | kasfajfsafhasfhaf.com | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsjfdjsfh.com | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsjfdjsfh.com | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsjfdjsfh.com | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsdsjajjs.com | udp |
| US | 8.8.8.8:53 | fdsjfjdsfjdsdsjajjs.com | udp |
| US | 3.94.10.34:443 | fdsjfjdsfjdsdsjajjs.com | tcp |
| US | 8.8.8.8:53 | idisaudhasdhasdj.com | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 34.211.97.45:443 | idisaudhasdhasdj.com | tcp |
| US | 8.8.8.8:53 | dsjdjsjdsadhasdas.com | udp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dsjdjsjdsadhasdas.com | udp |
| US | 35.164.78.200:443 | dsjdjsjdsadhasdas.com | tcp |
| US | 8.8.8.8:53 | dsdjfhdsufudhjas.com | udp |
| US | 8.8.8.8:53 | 200.78.164.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dsdjfhdsufudhjas.com | udp |
| US | 54.244.188.177:443 | dsdjfhdsufudhjas.com | tcp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
Files
memory/1852-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1852-2-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/1852-3-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1852-1-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1852-5-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/1852-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1852-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2400-7-0x0000000000310000-0x0000000000338000-memory.dmp
memory/1852-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2400-11-0x0000000000310000-0x0000000000338000-memory.dmp
memory/2400-12-0x0000000000310000-0x0000000000338000-memory.dmp