Analysis Overview
SHA256
829e8c5cb3aa8455f983872bb992e2e92966b940745e597c10742258c10b4173
Threat Level: Shows suspicious behavior
The file 4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Checks installed software on the system
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 02:39
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 02:39
Reported
2024-10-16 02:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\ProgramData\37wan\wy\wy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\37wan\wy\wy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\37wan\wy\wy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\ProgramData\37wan\wy\wy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"
C:\ProgramData\37wan\wy\wy.exe
"C:\ProgramData\37wan\wy\wy.exe" /autorun /setuprun
C:\ProgramData\37wan\wy\wy.exe
"C:\ProgramData\37wan\wy\wy.exe" /setupsucc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iframe.ip138.com | udp |
| CN | 110.81.155.138:80 | iframe.ip138.com | tcp |
| US | 8.8.8.8:53 | wy.37wan.com | udp |
| CN | 42.194.172.182:80 | wy.37wan.com | tcp |
| CN | 59.57.14.11:80 | iframe.ip138.com | tcp |
| CN | 110.81.155.137:80 | iframe.ip138.com | tcp |
| US | 8.8.8.8:53 | a.clickdata.37wan.com | udp |
| CN | 159.75.141.43:80 | a.clickdata.37wan.com | tcp |
| CN | 106.55.79.146:80 | a.clickdata.37wan.com | tcp |
Files
\ProgramData\37wan\wy\wy.exe
| MD5 | b18c3fbda7f860cacd7009ca0b0a50c2 |
| SHA1 | 2a5ee5d73b29dc2e072b25192acdf18931acc1c8 |
| SHA256 | 5850211530459f873ca0310c2221e113580ddc51bc2a211fd5d62d3c1f9834eb |
| SHA512 | c9bb7421c001d45f2362199b2ec6f6cd7f0a59a62ecbcd870212f32f2e2f9e21b95ccaef5ef085737bf94229f404c3e72146bfa49de69a2714593158658ef667 |
\ProgramData\37wan\wy\uninst.exe
| MD5 | c1c0b7d9d1c3774db756dbf800fa7e96 |
| SHA1 | 4ca05b1e96bf3045c6361fa743f4ec0ccc6f625c |
| SHA256 | 02308440ae87d5560305623ff4e4e9296cc36e565bc3d4a209d51952bfb3b3b5 |
| SHA512 | 70d8b1ac41f59d5a829b5f54c6b7e01036026915e3beaf7bcecbde95e54974ad4f1e1bc8497db3d55e20d87436b98b1e25c6dc03a8c8e786e30e6845d277dfde |
C:\ProgramData\37wan\wy\lander.ini
| MD5 | fe609059a9a3871184f86b1825599c19 |
| SHA1 | 16e1a7b1381c9bd3aa78aa416db8d1429706e53c |
| SHA256 | 517ae79c2ad9cdb10c82186be1166bde73d5872b9cb25e1eff21a677c64d8d5f |
| SHA512 | 11a76fde21c90f110ecf22adb9243c2dd796cd6f789a2efd8bec2d7993d47b7f53474e25b19451cdf556c4e9436d0c299582d8e08ea78433c0ffc05a9f2d01d6 |
C:\ProgramData\37wan\wy\lander.ini
| MD5 | d218c8f7335bbae0c2bf07b9b4f784f0 |
| SHA1 | 5b7b513ca3e81c167ccdfcac615295056cfa2dee |
| SHA256 | 3b0eabe6f8e72e8490ef064587dc81217401c6a2b01ed511bbe77603447d722c |
| SHA512 | 99fda78be5f94ef8616ba126557f17609a731768cde7ca53df5740a7ad56841baf587b29649f5265836bf992671cd02a31ff99b8e86ec2c6d75a374e3d2e9d0b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 02:39
Reported
2024-10-16 02:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\ProgramData\37wan\wy\wy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\37wan\wy\wy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\37wan\wy\wy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
| N/A | N/A | C:\ProgramData\37wan\wy\wy.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3636 wrote to memory of 3236 | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | C:\ProgramData\37wan\wy\wy.exe |
| PID 3636 wrote to memory of 3236 | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | C:\ProgramData\37wan\wy\wy.exe |
| PID 3636 wrote to memory of 3236 | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | C:\ProgramData\37wan\wy\wy.exe |
| PID 3636 wrote to memory of 3376 | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | C:\ProgramData\37wan\wy\wy.exe |
| PID 3636 wrote to memory of 3376 | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | C:\ProgramData\37wan\wy\wy.exe |
| PID 3636 wrote to memory of 3376 | N/A | C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe | C:\ProgramData\37wan\wy\wy.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"
C:\ProgramData\37wan\wy\wy.exe
"C:\ProgramData\37wan\wy\wy.exe" /autorun /setuprun
C:\ProgramData\37wan\wy\wy.exe
"C:\ProgramData\37wan\wy\wy.exe" /setupsucc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iframe.ip138.com | udp |
| CN | 110.81.155.137:80 | iframe.ip138.com | tcp |
| US | 8.8.8.8:53 | wy.37wan.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 42.194.172.182:80 | wy.37wan.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| CN | 110.81.155.138:80 | iframe.ip138.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CN | 59.57.14.11:80 | iframe.ip138.com | tcp |
| US | 8.8.8.8:53 | a.clickdata.37wan.com | udp |
| CN | 106.55.79.146:80 | a.clickdata.37wan.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| CN | 159.75.141.43:80 | a.clickdata.37wan.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\ProgramData\37wan\wy\wy.exe
| MD5 | b18c3fbda7f860cacd7009ca0b0a50c2 |
| SHA1 | 2a5ee5d73b29dc2e072b25192acdf18931acc1c8 |
| SHA256 | 5850211530459f873ca0310c2221e113580ddc51bc2a211fd5d62d3c1f9834eb |
| SHA512 | c9bb7421c001d45f2362199b2ec6f6cd7f0a59a62ecbcd870212f32f2e2f9e21b95ccaef5ef085737bf94229f404c3e72146bfa49de69a2714593158658ef667 |
C:\ProgramData\37wan\wy\lander.ini
| MD5 | fe609059a9a3871184f86b1825599c19 |
| SHA1 | 16e1a7b1381c9bd3aa78aa416db8d1429706e53c |
| SHA256 | 517ae79c2ad9cdb10c82186be1166bde73d5872b9cb25e1eff21a677c64d8d5f |
| SHA512 | 11a76fde21c90f110ecf22adb9243c2dd796cd6f789a2efd8bec2d7993d47b7f53474e25b19451cdf556c4e9436d0c299582d8e08ea78433c0ffc05a9f2d01d6 |
C:\ProgramData\37wan\wy\Lander.ini
| MD5 | b5fca1e229e9c2dc0925cc02a0aa21dd |
| SHA1 | d1f503e783aaddcb9838a3a073436d1e66e547ff |
| SHA256 | 99c7d43f49d7439bb4ce604dfafbe5af180cb970fb9462e08b1b01faaea7c98e |
| SHA512 | d3133baa027bf2fbb48e74e80c19c7d5cb45c34a030286b3f320e141d3596d4ebad9e762614759d240fd9262be9a05520b0fc7195cc6e0254db1aa1fb1dd5f78 |
C:\ProgramData\37wan\wy\lander.ini
| MD5 | 95e5562252aa4837dcaf35879f8aaa3b |
| SHA1 | 0b5be2ec702acf16a340459a50fbd9b2e3f71ef8 |
| SHA256 | 1d66d299c0fc7d316942acb43a9226bfba4dc36bdb71d24ee626e2f3e6142d28 |
| SHA512 | 1b5774389df95e346b5ebc68532beb2238f5bbde1f4261467765bc75d62b73aa6d05b4f1b6aa793f0d8c18b057a0bf494bac3f505065c40b95c1047cf09b2c49 |
memory/3236-35-0x0000000003000000-0x0000000003001000-memory.dmp
memory/3236-36-0x0000000003000000-0x0000000003001000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-16 02:39
Reported
2024-10-16 02:42
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wy.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\wy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wy.exe
"C:\Users\Admin\AppData\Local\Temp\wy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wy.37wan.com | udp |
| CN | 42.194.172.182:80 | wy.37wan.com | tcp |
Files
C:\ProgramData\37wan\wy\Lander.ini
| MD5 | 3cae722a37d3cffdf71647fbf7b50f56 |
| SHA1 | 44906fea32090d13b297a32f1141aa101a14d238 |
| SHA256 | acc9689be70a19f34911e0505a8c96df28e50365df419e543fbba28531e4341c |
| SHA512 | d58698799af977335e2c7bc3284905bd8e684e4fd4dc00f29537a9e5f1019e4ca94a404c7760e5650d45de921513bf7c4eaef833f76228b722b966de7edf8639 |
memory/1292-7-0x0000000000140000-0x0000000000141000-memory.dmp
memory/1292-8-0x0000000000140000-0x0000000000141000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-16 02:39
Reported
2024-10-16 02:42
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wy.exe
"C:\Users\Admin\AppData\Local\Temp\wy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wy.37wan.com | udp |
| CN | 42.194.172.182:80 | wy.37wan.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\ProgramData\37wan\wy\Lander.ini
| MD5 | 3cae722a37d3cffdf71647fbf7b50f56 |
| SHA1 | 44906fea32090d13b297a32f1141aa101a14d238 |
| SHA256 | acc9689be70a19f34911e0505a8c96df28e50365df419e543fbba28531e4341c |
| SHA512 | d58698799af977335e2c7bc3284905bd8e684e4fd4dc00f29537a9e5f1019e4ca94a404c7760e5650d45de921513bf7c4eaef833f76228b722b966de7edf8639 |
memory/3564-7-0x0000000003160000-0x0000000003161000-memory.dmp
memory/3564-8-0x0000000003160000-0x0000000003161000-memory.dmp