Analysis Overview
SHA256
6bf6f18df46b254364440d9db40d5b3290bb7c1600395259b7423e407a3f7aa0
Threat Level: Shows suspicious behavior
The file 7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
UPX packed file
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies Internet Explorer Phishing Filter
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:14
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:14
Reported
2024-10-27 22:19
Platform
win7-20240708-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\timer2tray\timer2tray.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\timer2tray\timer2tray.exe | N/A |
| N/A | N/A | C:\timer2tray\timer2tray.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\8E638A6D01AD0E10 = "C:\\timer2tray\\timer2tray.exe /q" | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\timer2tray\timer2tray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" | C:\Users\Admin\AppData\Local\Temp\oALFA75.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe"
C:\timer2tray\timer2tray.exe
"C:\timer2tray\timer2tray.exe"
C:\Users\Admin\AppData\Local\Temp\oALFA75.exe
"C:\Users\Admin\AppData\Local\Temp\oALFA75.exe"
Network
| Country | Destination | Domain | Proto |
| UA | 91.197.130.121:80 | tcp | |
| N/A | 127.0.0.1:49295 | tcp | |
| UA | 217.12.215.133:1672 | tcp | |
| US | 8.8.8.8:53 | vsenormalno.com | udp |
| DE | 64.190.63.222:80 | vsenormalno.com | tcp |
Files
memory/1764-0-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/1764-1-0x0000000000220000-0x0000000000239000-memory.dmp
memory/1764-2-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/1764-4-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/1764-3-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/1764-10-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/1764-6-0x0000000000250000-0x0000000000251000-memory.dmp
\timer2tray\timer2tray.exe
| MD5 | 7633d70b7dd502e3d9b95c6c35773d89 |
| SHA1 | 642163111e58eef3dc2642f2503e123b561a2bc7 |
| SHA256 | 6bf6f18df46b254364440d9db40d5b3290bb7c1600395259b7423e407a3f7aa0 |
| SHA512 | 71556bb176ef7a2bf315043a4f756c3043e5046c41fdd827f66ae3811418c1bd0db78a0fb4b3a81c6f44f2beb8e5b10ca6719833d09ecc769c59c3d6e862c60f |
memory/1764-5-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2788-20-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2788-19-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/1764-18-0x0000000001F00000-0x0000000001FAF000-memory.dmp
memory/2788-21-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/2788-25-0x0000000000400000-0x00000000004AF000-memory.dmp
\Users\Admin\AppData\Local\Temp\oALFA75.exe
| MD5 | 29090b6b4d6605a97ac760d06436ac2d |
| SHA1 | d929d3389642e52bae5ad8512293c9c4d3e4fab5 |
| SHA256 | 98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272 |
| SHA512 | 9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be |
memory/2940-32-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-38-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-43-0x0000000001000000-0x0000000001004000-memory.dmp
memory/2940-42-0x0000000001001000-0x0000000001002000-memory.dmp
memory/2940-40-0x0000000000240000-0x000000000028D000-memory.dmp
C:\timer2tray\config.bin
| MD5 | efc7914a129bca76288317eecee6a741 |
| SHA1 | 5c5a90bc10bafd47736b97acea2953f4b15be0a7 |
| SHA256 | 13f06fd1d2294a84af960e2caf281af4250a91bc3522261f57ccdb7784817649 |
| SHA512 | aecf475b10a80480efc70195781daf049bf993711b587bff5dcbd0a96097efe57acec2e234f4931e996d27b42afbad3098a0f879d7a16ee7503963ffdf072d47 |
memory/2940-37-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-54-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-46-0x0000000000140000-0x0000000000145000-memory.dmp
memory/2940-57-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-58-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-87-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-86-0x0000000000950000-0x000000000099C000-memory.dmp
memory/2940-85-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-83-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-82-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-80-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-79-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-78-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-77-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-76-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-75-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-74-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-91-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-90-0x0000000000950000-0x000000000099C000-memory.dmp
memory/2940-89-0x0000000000950000-0x000000000099C000-memory.dmp
memory/2940-81-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-92-0x0000000000950000-0x000000000099C000-memory.dmp
memory/2940-73-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-72-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-71-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-70-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-69-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-68-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-93-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-97-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-95-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-94-0x0000000000240000-0x000000000028D000-memory.dmp
memory/2940-67-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-66-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-65-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-64-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-63-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-62-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-61-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/2940-60-0x000000000BAD0000-0x000000000BB1D000-memory.dmp
memory/1764-104-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1764-103-0x0000000077CAF000-0x0000000077CB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:14
Reported
2024-10-27 22:19
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7633d70b7dd502e3d9b95c6c35773d89_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1376 -ip 1376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 296
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/1376-0-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/1376-1-0x0000000000570000-0x0000000000589000-memory.dmp
memory/1376-3-0x0000000000400000-0x00000000004AF000-memory.dmp