Analysis Overview
SHA256
732d0d953bf5afc402a06751ddf0ac1895712d721a41b38ff04e801d53ab006b
Threat Level: Known bad
The file 7642641936be02921252b837f10b27b0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Reads user/profile data of web browsers
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:28
Reported
2024-10-27 22:31
Platform
win7-20241010-en
Max time kernel
140s
Max time network
68s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" | C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bigblueonline.com | udp |
| CA | 23.227.38.65:80 | bigblueonline.com | tcp |
| US | 8.8.8.8:53 | zonetf.com | udp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | zonetk.com | udp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | zonere.com | udp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
| N/A | 127.0.0.1:63111 | tcp | |
| US | 8.8.8.8:53 | offlineservermonitoring.com | udp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| GB | 172.217.169.36:80 | www.google.com | tcp |
Files
memory/1820-1-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1820-2-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2216-7-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2216-5-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1820-14-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Roaming\C736.889
| MD5 | 9e5c3151a46b395e74bbccf1de7841df |
| SHA1 | ae7a5e41dabc40356adb52e85c2d05cc7436eb20 |
| SHA256 | fe20a80fc730d6b50decdc4d12528d745f27f622290ca73b8e8ec652285c803a |
| SHA512 | ec84b5fca01e8d7e98921f2c468e20014938ac2c0e77cd0688718716ce10bc71f78f2e1bf9135e07570704bd652b4b4a9cad112fa78af04538f6208c1b290721 |
memory/1660-72-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1660-74-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1820-75-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Roaming\C736.889
| MD5 | 664fb3618a67ac50db08274498a280e7 |
| SHA1 | d2e89e2f08d90d62e8575257ba5efe2147be057f |
| SHA256 | 76b48e915f9559cdeb62fd9b8aa440febd9d552e3a44f20b726848edc94db8be |
| SHA512 | 021e70b6c577f6c1b01730351e2db94fe7a667c639752f13055b5017e15edf6a01a4d2a6d08ee82d283932b5ddaff5d55c040630548fca715e1ff17da1fb63c2 |
C:\Users\Admin\AppData\Roaming\C736.889
| MD5 | 62510457be577ee4da4bb93327a0f965 |
| SHA1 | 45f3e140ca0a079242bd76314f626554fb464383 |
| SHA256 | 9cc140af8b5f419b82d8e4958553c2442bd2924e561a6b27f03998a3fc51a11e |
| SHA512 | d94f729bdaf9fab5b67bc2daa3a81de21ff61535d269002045caf38f5097630fbcaf5f291d6b5a184c7e6854d181086ddcf8ba0de1bd9904ec4878e13420d822 |
memory/1820-168-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1820-207-0x0000000000400000-0x000000000048A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:28
Reported
2024-10-27 22:32
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7642641936be02921252b837f10b27b0_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 924 -ip 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 460
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |