Analysis Overview
SHA256
65e87e21a627624e05521d071894d8041bae2f904fdf480d5133d17d672d55eb
Threat Level: Known bad
The file 765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Reads user/profile data of web browsers
UPX packed file
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:52
Reported
2024-10-27 22:55
Platform
win7-20241010-en
Max time kernel
141s
Max time network
71s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" | C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | registryeasy.com | udp |
| US | 13.248.169.48:80 | registryeasy.com | tcp |
| US | 8.8.8.8:53 | zonetf.com | udp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | onloneservermonitoring.com | udp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 13.248.169.48:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | zonere.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.169.4:80 | www.google.com | tcp |
| N/A | 127.0.0.1:57354 | tcp | |
| US | 8.8.8.8:53 | zonetk.com | udp |
| GB | 172.217.169.4:80 | www.google.com | tcp |
Files
memory/2528-1-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2528-2-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1288-5-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1288-8-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1288-6-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2528-15-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Roaming\F580.591
| MD5 | 9d90ea713c3ffd29270a1eda38e10934 |
| SHA1 | ef3e17a0037815dd871710c6df3f5b3ec5edf745 |
| SHA256 | be75712344a2cc670b42e387f1bab693660f219f8958f0e9b47cb53337a6dbd3 |
| SHA512 | b718e15a9a0dc7f07ed8c58323a67c7416650b92e665e05b824283667836ef92187ea90eb16e58737bb162a868f04c887564c532aae671e640c3d3e9761e43b7 |
memory/1528-79-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1528-81-0x0000000000400000-0x0000000000466000-memory.dmp
memory/1528-80-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2528-82-0x0000000000400000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Roaming\F580.591
| MD5 | 58eeaa432882ef0966a054b3030f0449 |
| SHA1 | c26997c41077e83a67f329e5b69498defef71959 |
| SHA256 | cca4fbbc12daa3024667c78339481bc76a85d72c8cd0c4c434f6291e6da4cfcd |
| SHA512 | e30d7efb6be3d5ec32991d07a44e6c6ace9cd4062fba1834ac1388250752f3cef0db94f937647dd01f4be54e894032808fcea72b2181e2805cbf735a34f58adc |
C:\Users\Admin\AppData\Roaming\F580.591
| MD5 | f9dd8cb0cd9ea2bde34cb6eae89b924f |
| SHA1 | f334b7eb987e3788b112e6aaae14755b42453834 |
| SHA256 | 0d2626085af2d17c31980b108b925170ded7f5ebcd1011ce2de9c12f305ea2ad |
| SHA512 | 2c97e583dca7f7e7108d8d5af5cf849658facd6a33342d0d6eb3b04da99688f7dc2c56b170479eb82648a032b57a5674936c8fb8c94f4c24e429ea3f49a65abc |
memory/2528-173-0x0000000000400000-0x0000000000466000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:52
Reported
2024-10-27 22:55
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\765a8df6e5b8f73ee1ed3fdf017b6ff9_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 428 -ip 428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |