Analysis Overview
SHA256
eede0c35e494e17d8dea7109d7973f9449baf31d9fc3bbfd18467b3572182a14
Threat Level: Shows suspicious behavior
The file 4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 23:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 23:52
Reported
2024-10-16 23:54
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38} | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dlloadtime = "1729122728" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\mac = "C2-8A-DB-22-2B-BA" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dlt = "1729122728" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loader.51edm.net | udp |
| DE | 116.202.118.107:1207 | loader.51edm.net | tcp |
Files
memory/2384-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2384-2-0x0000000000280000-0x0000000000282000-memory.dmp
memory/2384-1-0x0000000000250000-0x0000000000280000-memory.dmp
memory/2384-9-0x0000000001DF0000-0x0000000001DF1000-memory.dmp
memory/2384-8-0x0000000001E00000-0x0000000001E01000-memory.dmp
memory/2384-7-0x0000000001DD0000-0x0000000001DD1000-memory.dmp
memory/2384-11-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/2384-10-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/2384-6-0x0000000001DE0000-0x0000000001DE1000-memory.dmp
memory/2384-5-0x0000000001DB0000-0x0000000001DB1000-memory.dmp
memory/2384-4-0x0000000001DC0000-0x0000000001DC1000-memory.dmp
memory/2384-3-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2384-13-0x0000000001D90000-0x0000000001D91000-memory.dmp
memory/2384-12-0x0000000001DA0000-0x0000000001DA1000-memory.dmp
memory/2384-16-0x0000000001E10000-0x0000000001E11000-memory.dmp
memory/2384-18-0x0000000000250000-0x0000000000280000-memory.dmp
memory/2384-19-0x0000000001E30000-0x0000000001E31000-memory.dmp
memory/2384-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2384-15-0x0000000001E20000-0x0000000001E21000-memory.dmp
memory/2384-20-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 23:52
Reported
2024-10-16 23:54
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38} | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dlloadtime = "1729122729" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\mac = "DA-67-B5-6E-6C-1B" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dlt = "1729122729" | C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4fb4e60f1118543aa9b3d10004ef47bb_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loader.51edm.net | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 116.202.118.107:1207 | loader.51edm.net | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1500-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1500-1-0x0000000000700000-0x0000000000730000-memory.dmp
memory/1500-2-0x0000000000730000-0x0000000000732000-memory.dmp
memory/1500-9-0x0000000002480000-0x0000000002481000-memory.dmp
memory/1500-8-0x0000000002470000-0x0000000002471000-memory.dmp
memory/1500-7-0x0000000002460000-0x0000000002461000-memory.dmp
memory/1500-13-0x0000000002410000-0x0000000002411000-memory.dmp
memory/1500-12-0x0000000002420000-0x0000000002421000-memory.dmp
memory/1500-11-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/1500-10-0x0000000002400000-0x0000000002401000-memory.dmp
memory/1500-5-0x0000000002430000-0x0000000002431000-memory.dmp
memory/1500-4-0x0000000002440000-0x0000000002441000-memory.dmp
memory/1500-3-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/1500-6-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1500-16-0x0000000002490000-0x0000000002491000-memory.dmp
memory/1500-15-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/1500-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1500-18-0x0000000000700000-0x0000000000730000-memory.dmp
memory/1500-19-0x0000000000400000-0x0000000000423000-memory.dmp