Analysis Overview
SHA256
8fc6b1edf12b69ec825bd1e8eb04235fc2aadca0dc13a7c29783555bb2651383
Threat Level: Shows suspicious behavior
The file 49d1fd020c8f136f933673d630e18d4b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unsecured Credentials: Credentials In Files
Reads WinSCP keys stored on the system
Checks for any installed AV software in registry
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Modifies Internet Explorer Protected Mode
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 20:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 20:19
Reported
2024-10-15 20:22
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2084 set thread context of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.109.209.108:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
Files
memory/2084-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2084-1-0x00000000003D0000-0x00000000003D7000-memory.dmp
memory/2088-4-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2084-18-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/2088-15-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-13-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-19-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-11-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-9-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-7-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2088-22-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-20-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2088-23-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2088-24-0x0000000000450000-0x00000000004B7000-memory.dmp
memory/2272-26-0x0000000077910000-0x0000000077A91000-memory.dmp
memory/2272-27-0x0000000000210000-0x000000000033F000-memory.dmp
memory/2272-28-0x0000000077910000-0x0000000077A91000-memory.dmp
memory/2272-29-0x0000000000210000-0x000000000033F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 20:19
Reported
2024-10-15 20:22
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Reads WinSCP keys stored on the system
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ODBC Policies = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe\"" | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ODBC Policies = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe\"" | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1080 set thread context of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D3C224B8-5488-A148-B4C2-E3323827BA7F}\0DF402B2\CW1 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D3C224B8-5488-A148-B4C2-E3323827BA7F}\0DF402B2\CW1\5080 = 0100000004110000dc92420068000600 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D3C224B8-5488-A148-B4C2-E3323827BA7F}\0DF402B2\CG1 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D3C224B8-5488-A148-B4C2-E3323827BA7F}\0DF402B2\CG1\GLA = 01000000 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D3C224B8-5488-A148-B4C2-E3323827BA7F}\0DF402B2\CS1 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D3C224B8-5488-A148-B4C2-E3323827BA7F} | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D3C224B8-5488-A148-B4C2-E3323827BA7F}\0DF402B2 | C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49d1fd020c8f136f933673d630e18d4b_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| US | 8.8.8.8:53 | bicycletrainers.info | udp |
| US | 8.8.8.8:53 | womenhealthbody.pw | udp |
| US | 8.8.8.8:53 | dirtybagmcgee.com | udp |
| SE | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1080-0-0x00000000023A0000-0x00000000023A1000-memory.dmp
memory/1080-1-0x00000000023C0000-0x00000000023C7000-memory.dmp
memory/1080-5-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/5080-3-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5080-2-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5080-6-0x00000000020B0000-0x00000000020B1000-memory.dmp
memory/5080-8-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5080-9-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5080-10-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5080-11-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5080-12-0x0000000000400000-0x0000000000448000-memory.dmp