Analysis Overview
SHA256
d4ab2abf7b2ff08839344f50cd51fa4305bbd72874134c29dcd1b3f0bdbd8cf5
Threat Level: Shows suspicious behavior
The file 49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Adds Run key to start application
Checks installed software on the system
UPX packed file
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 20:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 20:31
Reported
2024-10-15 20:34
Platform
win7-20240708-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SonyAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe | N/A |
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 68.81.38.78:80 | tcp | |
| N/A | 127.0.0.1:49215 | tcp | |
| CL | 186.34.56.27:80 | tcp | |
| N/A | 127.0.0.1:49221 | tcp | |
| VE | 186.164.97.4:80 | tcp | |
| N/A | 127.0.0.1:49225 | tcp | |
| PH | 49.145.33.8:80 | tcp | |
| N/A | 127.0.0.1:49229 | tcp | |
| PK | 119.154.98.226:80 | tcp | |
| N/A | 127.0.0.1:49233 | tcp | |
| KZ | 109.239.37.15:80 | tcp | |
| N/A | 127.0.0.1:49237 | tcp | |
| PA | 190.140.78.64:80 | tcp | |
| N/A | 127.0.0.1:49241 | tcp | |
| JP | 118.86.148.68:80 | tcp | |
| N/A | 127.0.0.1:49246 | tcp | |
| KZ | 95.58.204.87:80 | tcp | |
| N/A | 127.0.0.1:49250 | tcp | |
| US | 184.170.52.21:80 | tcp | |
| N/A | 127.0.0.1:49254 | tcp | |
| US | 72.188.44.39:80 | tcp | |
| N/A | 127.0.0.1:49257 | tcp | |
| AR | 186.122.16.8:80 | tcp | |
| N/A | 127.0.0.1:49261 | tcp | |
| N/A | 127.0.0.1:49265 | tcp | |
| CL | 190.54.93.177:80 | tcp | |
| N/A | 127.0.0.1:49269 | tcp | |
| KZ | 95.58.125.30:80 | tcp | |
| PT | 78.130.56.18:80 | tcp | |
| N/A | 127.0.0.1:49274 | tcp |
Files
memory/2084-5-0x0000000000400000-0x000000000063E000-memory.dmp
memory/2084-4-0x000000000057E000-0x000000000063D000-memory.dmp
memory/2084-3-0x0000000000400000-0x000000000063E000-memory.dmp
memory/2084-0-0x0000000000400000-0x000000000063E000-memory.dmp
memory/2084-2-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2084-1-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2084-6-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2084-8-0x0000000000400000-0x000000000063E000-memory.dmp
memory/2084-7-0x000000000057E000-0x000000000063D000-memory.dmp
memory/2084-17-0x0000000000400000-0x000000000063E000-memory.dmp
memory/2084-18-0x0000000000400000-0x000000000063E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 20:31
Reported
2024-10-15 20:34
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49dd6efb7fbdcf2260671f7c640ba57e_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |