Analysis Overview
SHA256
bf786053e08168b8454d21562472aff64d75ab9248a5f721d0484c4fb35d5a64
Threat Level: Shows suspicious behavior
The file 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Unexpected DNS network traffic destination
Writes to the Master Boot Record (MBR)
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 14:57
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 14:57
Reported
2024-10-31 15:15
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 128.192.1.193 | N/A | N/A |
| Destination IP | 209.64.210.34 | N/A | N/A |
| Destination IP | 216.54.204.186 | N/A | N/A |
| Destination IP | 192.55.87.207 | N/A | N/A |
| Destination IP | 207.231.129.132 | N/A | N/A |
| Destination IP | 128.227.128.254 | N/A | N/A |
| Destination IP | 65.51.51.2 | N/A | N/A |
| Destination IP | 147.21.176.130 | N/A | N/A |
| Destination IP | 130.94.124.174 | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 65.51.51.2:53 | www.psi1oc.info | udp |
| US | 128.227.128.254:53 | www.se1lppp.info | udp |
| US | 216.54.204.186:53 | www.gstetscn.info | udp |
| US | 209.64.210.34:53 | www.primec6.info | udp |
| US | 128.192.1.193:53 | www.s6webx.info | udp |
| US | 192.55.87.207:53 | www.lstirpes.info | udp |
| US | 147.21.176.130:53 | www.gt2h6it.info | udp |
| US | 207.231.129.132:53 | www.a9antara.info | udp |
| US | 130.94.124.174:53 | www.gzizzozz.info | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| CN | 210.21.217.69:443 | tcp | |
| CN | 211.157.28.135:443 | tcp | |
| US | 216.134.197.184:443 | tcp | |
| US | 199.68.66.200:443 | tcp | |
| US | 158.96.54.7:443 | tcp | |
| US | 204.16.104.198:443 | tcp | |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 216.134.197.184:443 | tcp | |
| US | 158.96.54.7:443 | tcp | |
| US | 199.68.66.200:443 | tcp | |
| CN | 211.157.28.135:443 | tcp | |
| CN | 210.21.217.69:443 | tcp | |
| US | 204.16.104.198:443 | tcp | |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.179.238:443 | docs.google.com | tcp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 199.68.66.200:443 | tcp | |
| US | 216.134.197.184:443 | tcp | |
| US | 158.96.54.7:443 | tcp | |
| CN | 210.21.217.69:443 | tcp | |
| CN | 211.157.28.135:443 | tcp | |
| US | 204.16.104.198:443 | tcp | |
| TW | 218.168.72.158:443 | tcp | |
| TW | 218.163.23.191:443 | tcp | |
| TW | 220.131.6.80:443 | tcp | |
| FR | 66.245.216.66:443 | tcp | |
| TW | 218.167.224.198:443 | tcp | |
| FR | 66.245.205.63:443 | tcp | |
| US | 216.134.197.184:443 | tcp | |
| US | 204.16.104.198:443 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| CN | 211.157.28.135:443 | tcp | |
| CN | 210.21.217.69:443 | tcp | |
| US | 199.68.66.200:443 | tcp | |
| US | 158.96.54.7:443 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 65.49.2.24:443 | tcp | |
| US | 65.49.2.22:443 | tcp | |
| US | 65.49.2.14:443 | tcp | |
| US | 65.49.2.22:443 | tcp | |
| US | 65.49.2.24:443 | tcp | |
| US | 65.49.2.24:443 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp |
Files
memory/2440-0-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2440-1-0x0000000000400000-0x000000000051C000-memory.dmp
memory/2440-5-0x0000000000400000-0x000000000051C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 14:57
Reported
2024-10-31 15:16
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 65.163.161.230 | N/A | N/A |
| Destination IP | 129.82.103.79 | N/A | N/A |
| Destination IP | 169.146.191.18 | N/A | N/A |
| Destination IP | 158.106.52.64 | N/A | N/A |
| Destination IP | 147.21.23.9 | N/A | N/A |
| Destination IP | 64.132.57.20 | N/A | N/A |
| Destination IP | 136.242.11.73 | N/A | N/A |
| Destination IP | 65.173.99.98 | N/A | N/A |
| Destination IP | 128.227.128.254 | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 136.242.11.73:53 | www.lxycod.info | udp |
| US | 147.21.23.9:53 | www.mxpcint.info | udp |
| US | 65.173.99.98:53 | www.pur-p1e.info | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 73.11.242.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.23.21.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.99.173.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 64.132.57.20:53 | www.scft82.info | udp |
| US | 129.82.103.79:53 | www.probuen.info | udp |
| US | 169.146.191.18:53 | www.roptxt.info | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 20.57.132.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.103.82.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.191.146.169.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 128.227.128.254:53 | www.scc-tds.info | udp |
| US | 65.163.161.230:53 | www.prtines.info | udp |
| US | 158.106.52.64:53 | www.rogesw.info | udp |
| US | 8.8.8.8:53 | 64.52.106.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.161.163.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.128.227.128.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 209.34.241.68:443 | tcp | |
| US | 168.166.73.14:443 | tcp | |
| US | 167.102.245.62:443 | tcp | |
| US | 204.16.104.198:443 | tcp | |
| US | 216.134.197.184:443 | tcp | |
| CA | 216.13.113.51:443 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 62.245.102.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 216.134.197.184:443 | tcp | |
| CA | 216.13.113.51:443 | tcp | |
| US | 167.102.245.62:443 | tcp | |
| US | 204.16.104.198:443 | tcp | |
| US | 168.166.73.14:443 | tcp | |
| US | 209.34.241.68:443 | tcp | |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.179.238:443 | docs.google.com | tcp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| JP | 220.100.56.141:443 | tcp | |
| US | 68.183.120.4:443 | tcp | |
| TW | 122.127.176.38:443 | tcp | |
| TW | 118.161.180.118:443 | tcp | |
| TW | 219.85.146.9:443 | tcp | |
| TW | 61.227.241.9:443 | tcp | |
| US | 68.183.120.4:443 | tcp | |
| US | 8.8.8.8:53 | 4.120.183.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 65.49.2.26:443 | tcp | |
| US | 65.49.2.16:443 | tcp | |
| US | 65.49.2.13:443 | tcp | |
| US | 65.49.2.26:443 | tcp | |
| US | 65.49.2.26:443 | tcp | |
| US | 65.49.2.16:443 | tcp | |
| US | 65.49.2.16:443 | tcp | |
| US | 8.8.8.8:53 | 26.2.49.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.2.49.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp | |
| N/A | 127.0.0.1:9666 | tcp |
Files
memory/1248-0-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1248-1-0x00000000004CC000-0x00000000004CD000-memory.dmp
memory/1248-2-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1248-6-0x0000000000400000-0x000000000051C000-memory.dmp