Analysis Overview
SHA256
099abdd3556d9f39ee963c663479fb2aa74af294ddadae6ef83ba71b7d035564
Threat Level: Known bad
The file 765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Reads user/profile data of web browsers
UPX packed file
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:53
Reported
2024-10-27 22:56
Platform
win7-20241023-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\shell.exe" | C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blogsmonitoringservice.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | protectyourpc-11.com | udp |
| GB | 216.58.212.196:80 | www.google.com | tcp |
| GB | 216.58.212.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | bigtelevideochanel.com | udp |
| US | 8.8.8.8:53 | findeffectivecasino.com | udp |
Files
memory/2836-1-0x0000000000400000-0x0000000000475000-memory.dmp
memory/2836-3-0x0000000000400000-0x0000000000475000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg
| MD5 | f8775d59e14353a65c51d73941bb1eac |
| SHA1 | 08e1c47cb4c435f6467ccd98ce6233191a19bc6e |
| SHA256 | d941e62d3b14fc2874389ead5466b24e8d025409204e28457caeb4c805bbda39 |
| SHA512 | 96b0426df5149fb8d9be95201d6e345c026a1d1bd2dfda1b3edecafedc14727138cc39b95a9dbb609355781eb834fda04f3a87679c52b52a6f4db9f761591b98 |
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg
| MD5 | 5cbdda63a1ab4ba2a3ab0415e5029977 |
| SHA1 | 3a8c2244af844e508c713151696385923150fd91 |
| SHA256 | 537f1cf82d603620e3225925490b8063944c24e2a116fb7de4bf512a79b1573d |
| SHA512 | 4129672537876c6803b9a8d276a5534721533ac01b799fcc7da3709b5d140880d4a04e30bb5642f41a4df9f88965ae59a9c80a25650e921a6e0b70c30d424eaa |
memory/1768-93-0x0000000000400000-0x0000000000475000-memory.dmp
memory/1768-96-0x0000000000400000-0x0000000000475000-memory.dmp
memory/1768-95-0x0000000000400000-0x0000000000475000-memory.dmp
memory/2836-97-0x0000000000400000-0x0000000000475000-memory.dmp
memory/2072-169-0x0000000000400000-0x0000000000475000-memory.dmp
memory/2072-171-0x0000000000400000-0x0000000000475000-memory.dmp
memory/2836-172-0x0000000000400000-0x0000000000475000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg
| MD5 | e39bf41053064fbb4700a35fa1ffa919 |
| SHA1 | 68cf15592057538b0af820e35d6e483711c2ab54 |
| SHA256 | 87ca061313246ef15ec12805afd4063b07b57a6bf424f9b53676d89888860fe2 |
| SHA512 | 07ee79538fba41c11d985bd8b3172aeba2818e4918643f17582827c158164895276b624df4203b2829b909af0b0f43f805a94f57d1e5e50624f6771dc229f3cc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:53
Reported
2024-10-27 22:56
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\765c661785dabc5692bf2560b5ddb7a8_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 492
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |