Analysis Overview
SHA256
4bbb3b453847242076fecd01be594d5bd506e2f56e861a30e589177769435581
Threat Level: Shows suspicious behavior
The file 6632b5a004da336598134d299c274598_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 08:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 08:51
Reported
2024-10-21 08:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2316 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2316 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2316 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\929.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.softologic.com | udp |
| US | 76.223.54.146:80 | www.softologic.com | tcp |
| US | 8.8.8.8:53 | api.mixpanel.com | udp |
| US | 107.178.240.159:80 | api.mixpanel.com | tcp |
Files
memory/2316-0-0x0000000002AD0000-0x0000000002C14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\929.bat
| MD5 | d938d05bea46c04b32211976fb9d17f0 |
| SHA1 | e8ce96cdd5b0006ebcf511071981eb9c98dab55f |
| SHA256 | 90d0c0d05f4a107ea03fe83df4e2f570cab92d2f5edc47157311e79849378354 |
| SHA512 | a543cf14d73bd55af3915338779a28ff256dbdb964407c32f962fff9223010cf5bfc5f47597f8147120bc31fd15d57ffe9a59a423488c1564277c639fe1a3f0b |
C:\Users\Admin\AppData\Local\Temp\43619.exe
| MD5 | 6632b5a004da336598134d299c274598 |
| SHA1 | 36cc876002ab5f87fc1e0d3e61263858c7d20804 |
| SHA256 | 4bbb3b453847242076fecd01be594d5bd506e2f56e861a30e589177769435581 |
| SHA512 | 1fde3998eee550678dccf674747dcff4e3e3065609058bdd9d561b890ae3c8e860bd229c6563c083dad06a5d77f4c7c86e873ba3fcfb935e0156558644950e4d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 08:51
Reported
2024-10-21 08:54
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2028 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2028 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\875.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.30.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.30.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.softologic.com | udp |
| US | 13.248.169.48:80 | www.softologic.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.mixpanel.com | udp |
| US | 130.211.34.183:80 | api.mixpanel.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.34.211.130.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2028-0-0x0000000004D60000-0x0000000004EA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\875.bat
| MD5 | 2737aa08c48a947cf15191577c9d8b54 |
| SHA1 | 455d5b243b0ff07fa555ffced989de9b5737596c |
| SHA256 | 0b1175d2da76322f3a8f88ba4d903839b88bf0007684bafe3360b892ed32bd52 |
| SHA512 | 544b423e1c115e96b830ced596dcfe8ad46f0f1bd22f67b3e83281f7dd59f2177d39f854e369957e7762fec08f9e094f5bff90aa384a358e07ec0f6861bd088b |
C:\Users\Admin\AppData\Local\Temp\43619.exe
| MD5 | 6632b5a004da336598134d299c274598 |
| SHA1 | 36cc876002ab5f87fc1e0d3e61263858c7d20804 |
| SHA256 | 4bbb3b453847242076fecd01be594d5bd506e2f56e861a30e589177769435581 |
| SHA512 | 1fde3998eee550678dccf674747dcff4e3e3065609058bdd9d561b890ae3c8e860bd229c6563c083dad06a5d77f4c7c86e873ba3fcfb935e0156558644950e4d |