Analysis Overview
SHA256
e2a7bd9a92ea7c9a7d61f087231c0c14d76859132cef9ece8e812d34b7fe4219
Threat Level: Shows suspicious behavior
The file 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads local data of messenger clients
Reads data files stored by FTP clients
Identifies Wine through registry keys
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 15:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 15:34
Reported
2024-10-14 15:37
Platform
win7-20241010-en
Max time kernel
13s
Max time network
18s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Users\Admin\AppData\Local\Temp\d.exe
"C:\Users\Admin\AppData\Local\Temp\d.exe"
Network
Files
memory/1996-0-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-1-0x0000000000401000-0x0000000000426000-memory.dmp
memory/1996-2-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-3-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-4-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-5-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-6-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-7-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-12-0x00000000051F0000-0x00000000051F2000-memory.dmp
memory/2884-13-0x00000000001C0000-0x00000000001C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\elisha1.jpg
| MD5 | 566efe7e9551ea7a7a193c7d30cea01c |
| SHA1 | 18b949be3ee6c33b40d3db4f41f6d651f2e57500 |
| SHA256 | 10bd1c8ded4e652cf4b9f1695cb7e745a7c339508f18dd00fda06f72b005f744 |
| SHA512 | 615111a3b2ce52292525ada53f3b6c5f6dd687a899879835e06fa85428da423d30ff4ba1dc7a7fc218bf4e367a6aa7e6b9db66540f3c02f139482350df77c306 |
\Users\Admin\AppData\Local\Temp\d.exe
| MD5 | 1cf59467542770f50b96b85e48458f18 |
| SHA1 | 02e04f671ffdabf9e04298f4b1cbaf567d6c531c |
| SHA256 | 97049831ea1bd4a9c05412d346360fdb1918df7b62138f574bd696077f5aefb7 |
| SHA512 | c96cacb65b26847759cecc44acfb5d7f3fd5687b147c27b666773692d0a9786c12a7813e8c271032882ee23f3cb38ef14df03b2a952415584942631276abb6ef |
memory/1996-24-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/1996-25-0x0000000000401000-0x0000000000426000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-14 15:34
Reported
2024-10-14 15:37
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/2276-0-0x0000000000400000-0x00000000004E9000-memory.dmp
memory/2276-1-0x0000000000400000-0x00000000004E9000-memory.dmp