Analysis Overview
SHA256
3efad7853c306505003459ad4e19b0a72b2a56b518e48b183f3b381914f2bedf
Threat Level: Shows suspicious behavior
The file 662c739422f581eaac1ae7d52c5d5570_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 08:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:44
Platform
win7-20240903-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2380 set thread context of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| UA | 94.153.59.219:80 | tcp | |
| RU | 212.193.48.220:80 | tcp | |
| IN | 182.48.250.222:80 | tcp | |
| UA | 109.254.29.224:80 | tcp | |
| US | 93.77.224.224:80 | tcp | |
| RU | 212.193.48.220:80 | tcp | |
| N/A | 127.0.0.1:49230 | tcp | |
| MD | 92.115.105.152:80 | tcp | |
| UA | 176.101.215.153:80 | tcp | |
| UA | 194.44.192.155:80 | tcp | |
| UA | 77.122.172.157:80 | tcp | |
| UA | 178.54.106.166:80 | tcp | |
| UA | 77.122.88.180:80 | tcp | |
| UA | 91.123.152.185:80 | tcp | |
| JP | 118.86.178.192:80 | tcp | |
| US | 24.127.186.193:80 | tcp | |
| ES | 176.104.95.199:80 | tcp | |
| DE | 194.146.199.200:80 | tcp | |
| NL | 94.156.117.202:80 | tcp | |
| BE | 62.72.177.204:80 | tcp | |
| UA | 176.120.112.205:80 | tcp | |
| UA | 77.122.254.206:80 | tcp | |
| JP | 126.116.166.140:80 | tcp | |
| IN | 117.211.72.142:80 | tcp | |
| US | 162.72.36.143:80 | tcp | |
| UA | 109.162.87.144:80 | tcp | |
| UA | 109.86.140.145:80 | tcp | |
| UA | 95.215.218.57:80 | tcp | |
| GE | 5.178.165.58:80 | tcp | |
| RU | 109.227.197.58:80 | tcp | |
| UA | 195.140.231.58:80 | tcp | |
| RS | 5.57.79.65:80 | tcp | |
| PT | 79.169.10.44:80 | tcp | |
| UA | 95.69.163.44:80 | tcp | |
| NL | 109.234.35.48:80 | tcp | |
| UA | 178.215.184.52:80 | tcp | |
| US | 93.77.108.54:80 | tcp | |
| NL | 85.17.31.111:80 | tcp | |
| DE | 89.40.127.113:80 | tcp | |
| UA | 77.123.9.120:80 | tcp | |
| UA | 141.170.234.120:80 | tcp | |
| UA | 77.122.234.122:80 | tcp |
Files
memory/2380-0-0x00000000003A0000-0x00000000003A4000-memory.dmp
memory/1328-5-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-1-0x00000000001B0000-0x00000000002AA000-memory.dmp
memory/1328-3-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-15-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-16-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-13-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1328-9-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-7-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-17-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-19-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-21-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-18-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-23-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-25-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-24-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-22-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-26-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-27-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-28-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-29-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-30-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1328-32-0x0000000000400000-0x0000000000645000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:44
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetworkChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1836 set thread context of 2880 | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\662c739422f581eaac1ae7d52c5d5570_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| UA | 94.153.59.219:80 | tcp | |
| RU | 212.193.48.220:80 | tcp | |
| IN | 182.48.250.222:80 | tcp | |
| UA | 109.254.29.224:80 | tcp | |
| US | 93.77.224.224:80 | tcp | |
| RU | 212.193.48.220:80 | tcp | |
| US | 8.8.8.8:53 | 220.48.193.212.in-addr.arpa | udp |
| JP | 125.194.238.92:80 | tcp | |
| UA | 176.122.119.93:80 | tcp | |
| UA | 5.105.69.96:80 | tcp | |
| UA | 178.74.194.98:80 | tcp | |
| DK | 182.160.41.101:80 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:59179 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| GE | 5.178.165.58:80 | tcp | |
| RU | 109.227.197.58:80 | tcp | |
| UA | 195.140.231.58:80 | tcp | |
| RS | 5.57.79.65:80 | tcp | |
| UA | 46.219.55.66:80 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| UA | 77.120.227.236:80 | tcp | |
| PL | 91.203.158.237:80 | tcp | |
| AR | 201.217.230.237:80 | tcp | |
| UA | 62.182.84.239:80 | tcp | |
| UA | 37.115.88.240:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| UA | 62.182.83.40:80 | tcp | |
| US | 99.183.225.41:80 | tcp | |
| IN | 115.118.233.41:80 | tcp | |
| UA | 37.57.38.43:80 | tcp | |
| MD | 188.138.227.43:80 | tcp | |
| UA | 62.182.83.40:80 | tcp | |
| UA | 95.215.218.57:80 | tcp | |
| UA | 109.87.233.72:80 | tcp | |
| BY | 46.216.43.73:80 | tcp | |
| CA | 24.138.92.76:80 | tcp | |
| AM | 178.160.207.76:80 | tcp | |
| US | 8.8.8.8:53 | 40.83.182.62.in-addr.arpa | udp |
| N/A | 127.0.0.1:59227 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 73.226.22.12:80 | tcp | |
| GB | 89.37.68.13:80 | tcp | |
| RO | 86.124.178.13:80 | tcp | |
| UA | 77.121.34.16:80 | tcp | |
| LT | 86.38.126.17:80 | tcp | |
| N/A | 127.0.0.1:59247 | tcp | |
| GB | 89.37.68.13:80 | tcp | |
| US | 8.8.8.8:53 | 13.68.37.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| JP | 221.254.34.124:80 | tcp | |
| US | 93.79.75.125:80 | tcp | |
| US | 93.77.121.129:80 | tcp | |
| GE | 134.90.46.132:80 | tcp | |
| UA | 91.215.24.136:80 | tcp | |
| RU | 31.28.108.209:80 | tcp | |
| US | 208.103.21.210:80 | tcp | |
| UA | 5.248.99.212:80 | tcp | |
| MD | 89.149.112.212:80 | tcp | |
| UA | 178.165.11.214:80 | tcp | |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
Files
memory/1836-0-0x0000000002260000-0x0000000002264000-memory.dmp
memory/2880-1-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-3-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-4-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-5-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-6-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-9-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-8-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-11-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-10-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-13-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-12-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-14-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-15-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-16-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-19-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-24-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-25-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2880-27-0x0000000000400000-0x0000000000645000-memory.dmp