Analysis Overview
SHA256
4b0dff2b9e815c7a4ffacfaac103564af2e8b38235823b08344c56033b6d4dff
Threat Level: Likely malicious
The file 4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Deletes itself
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 01:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 01:01
Reported
2024-10-16 01:04
Platform
win7-20240903-en
Max time kernel
143s
Max time network
120s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\WEeeKuJS.dll | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetMeeting Service\Parameters\ServiceDLL = "%SystemRoot%\\system32\\drivers\\etc\\WEeeKuJS.dll" | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ZzDQCEd23g.ini | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ZzDQCEd23g.del | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yzyd0000.3322.org | udp |
Files
memory/2544-3-0x0000000000400000-0x000000000040F000-memory.dmp
\Windows\System32\drivers\etc\WEeeKuJS.dll
| MD5 | 75d7e09e71b34b987f6065b1fd754d87 |
| SHA1 | dbebf7c4fcc1885a8e5ac834d9672548b7a425cc |
| SHA256 | 3a6747d29e1c3f84ab43829c8bb8eda6d4536cb9aaec196539fbe70adfbb1899 |
| SHA512 | 6c1b29d3770c54c5c32253266bc81628410b755ea19625180eb7d74e5f1ee3cec8f3f3c1ca1f6f56eb84984aabc66a65e290a103c9d38a91b46acdfee09ab3d2 |
memory/2376-6-0x00000000001E0000-0x0000000000206000-memory.dmp
C:\Windows\SysWOW64\ZzDQCEd23g.del
| MD5 | aa92b8689b0e6e1f412343a07c73af77 |
| SHA1 | 9e7d7bab97770fcf39ba578374de06a643f53cb6 |
| SHA256 | dbafdb381f191f4816017a0df33064e25809f6cd6397c1116db88ca4e4fb31aa |
| SHA512 | 1803759ed05f945e5ff1e8f96028d640cf5fdbe4a79cc81cccba28e7f4c235c572df2c82e6e7b47d97ab960376e0820ff121c2aa8cdff15b50127fe33159ed4d |
memory/2544-8-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2376-9-0x00000000001E0000-0x0000000000206000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 01:01
Reported
2024-10-16 01:04
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4abfb20a73e1d996a939448a3cb7452b_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 220
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |