Analysis Overview
SHA256
27751bb51090ddd1428a953e75a5058311511f86e253889fee1ea2ff2a4a6eb0
Threat Level: Shows suspicious behavior
The file 49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Adds Run key to start application
Checks installed software on the system
UPX packed file
Unsigned PE
Program crash
Browser Information Discovery
System Location Discovery: System Language Discovery
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 20:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 20:32
Reported
2024-10-15 20:35
Platform
win7-20241010-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Credentials from Password Stores: Windows Credential Manager
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AmdAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe | N/A |
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| AR | 170.51.228.48:80 | tcp | |
| N/A | 127.0.0.1:49207 | tcp | |
| AR | 186.157.199.18:80 | tcp | |
| N/A | 127.0.0.1:49214 | tcp | |
| IL | 85.64.144.46:80 | tcp | |
| N/A | 127.0.0.1:49217 | tcp | |
| RU | 89.108.113.8:80 | tcp | |
| N/A | 127.0.0.1:49221 | tcp | |
| IN | 117.211.21.133:80 | tcp | |
| N/A | 127.0.0.1:49225 | tcp | |
| AR | 200.114.241.234:80 | tcp | |
| N/A | 127.0.0.1:49229 | tcp | |
| DE | 89.167.37.70:80 | tcp | |
| N/A | 127.0.0.1:49233 | tcp | |
| MX | 187.184.183.221:80 | tcp | |
| N/A | 127.0.0.1:49238 | tcp | |
| N/A | 127.0.0.1:49242 | tcp | |
| IN | 115.113.69.39:80 | tcp | |
| KR | 182.211.217.75:80 | tcp | |
| N/A | 127.0.0.1:49246 | tcp | |
| KZ | 31.169.0.12:80 | tcp | |
| N/A | 127.0.0.1:49249 | tcp | |
| AR | 200.112.177.32:80 | tcp | |
| N/A | 127.0.0.1:49253 | tcp | |
| CO | 186.86.211.20:80 | tcp | |
| N/A | 127.0.0.1:49257 | tcp | |
| MA | 105.139.136.65:80 | tcp | |
| N/A | 127.0.0.1:49261 | tcp | |
| FJ | 119.235.87.27:80 | tcp | |
| N/A | 127.0.0.1:49265 | tcp | |
| RO | 5.13.149.68:80 | tcp | |
| N/A | 127.0.0.1:49269 | tcp |
Files
memory/576-2-0x0000000002010000-0x0000000002011000-memory.dmp
memory/576-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/576-0-0x0000000000400000-0x000000000063D000-memory.dmp
memory/576-1-0x0000000000400000-0x000000000063D000-memory.dmp
memory/576-5-0x0000000000400000-0x000000000063D000-memory.dmp
memory/576-4-0x000000000057D000-0x000000000063C000-memory.dmp
memory/576-6-0x0000000000230000-0x0000000000231000-memory.dmp
memory/576-8-0x0000000000400000-0x000000000063D000-memory.dmp
memory/576-7-0x000000000057D000-0x000000000063C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 20:32
Reported
2024-10-15 20:35
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49de8a96462f2ff37acdafa40895a8f1_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3868 -ip 3868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 304
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |