Analysis Overview
SHA256
6480fbf1471d7e15eee5c76993e1c05de0e81c5f522d12ef7efaa3a33df03b62
Threat Level: Shows suspicious behavior
The file 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unexpected DNS network traffic destination
Writes to the Master Boot Record (MBR)
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 23:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 23:17
Reported
2024-10-16 23:19
Platform
win7-20240903-en
Max time kernel
141s
Max time network
127s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 63.251.129.1 | N/A | N/A |
| Destination IP | 207.126.105.146 | N/A | N/A |
| Destination IP | 165.254.12.151 | N/A | N/A |
| Destination IP | 210.144.5.163 | N/A | N/A |
| Destination IP | 207.126.105.146 | N/A | N/A |
| Destination IP | 165.254.12.151 | N/A | N/A |
| Destination IP | 207.126.105.146 | N/A | N/A |
| Destination IP | 210.144.5.163 | N/A | N/A |
| Destination IP | 64.30.227.206 | N/A | N/A |
| Destination IP | 207.126.105.146 | N/A | N/A |
| Destination IP | 207.126.105.146 | N/A | N/A |
| Destination IP | 207.126.105.146 | N/A | N/A |
| Destination IP | 63.251.129.1 | N/A | N/A |
| Destination IP | 207.126.105.146 | N/A | N/A |
| Destination IP | 64.30.227.206 | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 165.254.12.151:53 | w64.ziyoulonglive.com | udp |
| US | 63.251.129.1:53 | w64.ziyoulonglive.com | udp |
| US | 64.30.227.206:53 | w64.ziyoulonglive.com | udp |
| US | 207.126.105.146:53 | w64.ziyoulonglive.com | udp |
| JP | 210.144.5.163:53 | w64.ziyoulonglive.com | udp |
| US | 165.254.12.151:53 | tcp | |
| US | 63.251.129.1:53 | tcp | |
| US | 64.30.227.206:53 | tcp | |
| US | 207.126.105.146:53 | tcp | |
| JP | 210.144.5.163:53 | tcp | |
| US | 207.126.105.146:53 | w65.ziyoulonglive.com | tcp |
| US | 207.126.105.146:53 | w61.ziyoulonglive.com | tcp |
| US | 207.126.105.146:53 | tcp | |
| US | 207.126.105.146:53 | w63.ziyoulonglive.com | tcp |
| US | 207.126.105.146:53 | w64.ziyoulonglive.com | tcp |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 127.0.0.1:8567 | tcp | |
| US | 66.98.138.24:80 | tcp | |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| US | 66.98.138.24:80 | tcp | |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 127.0.0.1:8567 | tcp | |
| US | 66.98.138.24:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| N/A | 10.127.0.158:80 | tcp | |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | fe2.update.microsoft.com | udp |
| US | 4.154.131.238:80 | fe2.update.microsoft.com | tcp |
Files
memory/580-1-0x0000000000020000-0x0000000000022000-memory.dmp
memory/580-0-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-2-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-3-0x0000000000020000-0x0000000000022000-memory.dmp
memory/580-4-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-5-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-6-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-7-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-8-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-9-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-10-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-11-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-12-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-13-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-14-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-15-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-16-0x0000000000400000-0x000000000044D000-memory.dmp
memory/580-17-0x0000000000400000-0x000000000044D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 23:17
Reported
2024-10-16 23:19
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
137s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 207.188.7.5 | N/A | N/A |
| Destination IP | 210.174.204.115 | N/A | N/A |
| Destination IP | 207.188.7.5 | N/A | N/A |
| Destination IP | 210.103.175.1 | N/A | N/A |
| Destination IP | 210.144.5.163 | N/A | N/A |
| Destination IP | 210.144.5.163 | N/A | N/A |
| Destination IP | 210.174.204.115 | N/A | N/A |
| Destination IP | 62.151.20.7 | N/A | N/A |
| Destination IP | 210.103.175.1 | N/A | N/A |
| Destination IP | 62.151.20.7 | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| ES | 62.151.20.7:53 | w65.ziyoulonglive.com | udp |
| JP | 210.144.5.163:53 | w65.ziyoulonglive.com | udp |
| JP | 210.174.204.115:53 | w65.ziyoulonglive.com | udp |
| US | 207.188.7.5:53 | w65.ziyoulonglive.com | udp |
| KR | 210.103.175.1:53 | w65.ziyoulonglive.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.20.151.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.5.144.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.204.174.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.7.188.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.175.103.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| ES | 62.151.20.7:53 | tcp | |
| JP | 210.144.5.163:53 | tcp | |
| JP | 210.174.204.115:53 | tcp | |
| US | 207.188.7.5:53 | tcp | |
| KR | 210.103.175.1:53 | tcp | |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| US | 66.98.139.137:80 | tcp | |
| N/A | 127.0.0.1:8567 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| US | 66.98.139.137:80 | tcp | |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 66.98.139.137:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:8567 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| N/A | 10.127.0.113:80 | tcp | |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | fe2.update.microsoft.com | udp |
| US | 4.154.131.238:80 | fe2.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 238.131.154.4.in-addr.arpa | udp |
Files
memory/560-0-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-1-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/560-2-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-3-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/560-4-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-5-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-6-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-7-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-8-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-9-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-10-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-11-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-12-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-13-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-14-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-15-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-16-0x0000000000400000-0x000000000044D000-memory.dmp
memory/560-17-0x0000000000400000-0x000000000044D000-memory.dmp