Analysis Overview
SHA256
e0ba5fab6b8c8001696856c0e1255fbeb1589925b4fdf4561f05dbef000b06a9
Threat Level: Shows suspicious behavior
The file 8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks whether UAC is enabled
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 01:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 01:19
Reported
2024-11-04 03:39
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 96
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 01:19
Reported
2024-11-04 03:37
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
140s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\nsinet.exe | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nsinet.exe | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button1.gif | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button4.gif | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button3.gif | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\js\js_api_dialer.php | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\dialerexe.ini | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\Common\module.php | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\button2.gif | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\medias\dialer.ico | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20091016121022\instant access.exe | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Instant Access\Center\NoCreditCard.lnk | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\dialexe.zl | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\dialexe.epk | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\dialerexe.ini | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9} | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run" | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e70b7105035839b36c4af79ab9dc3e7_JaffaCakes118.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scripts.dlv4.com | udp |
| NL | 95.211.219.65:80 | scripts.dlv4.com | tcp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.219.211.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 95.211.219.65:80 | scripts.dlv4.com | tcp |
| US | 8.8.8.8:53 | ww1.dlv4.com | udp |
| US | 208.91.196.145:80 | ww1.dlv4.com | tcp |
| US | 8.8.8.8:53 | 145.196.91.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1516-0-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1516-3-0x0000000010000000-0x000000001004C000-memory.dmp
memory/1516-4-0x0000000010000000-0x000000001004C000-memory.dmp
memory/1516-5-0x0000000000400000-0x0000000000443908-memory.dmp
memory/1516-1-0x0000000010000000-0x000000001004C000-memory.dmp
C:\Windows\dialerexe.ini
| MD5 | 9a9b71d41b964aa053d25f020edcc118 |
| SHA1 | 6a885fc6ceb994f43a1f41723156e83101f35b05 |
| SHA256 | c44ddfc857788d4a937db7940aecedc7a99afe13ca8f936247d0eb6566b8bca9 |
| SHA512 | a4af3e4f11e4669067324ae8643aba7a7da6bad170bbb7914d3bdb96e9a889f6b9378269b444c41b44cad02f3abad751a9d2c3da83c8194fbb27efe32122ee64 |
C:\Program Files (x86)\Instant Access\Multi\20091016121022\instant access.exe
| MD5 | 8e70b7105035839b36c4af79ab9dc3e7 |
| SHA1 | ec864e373d03cd56b1ec2ec3ddda159eed49c66c |
| SHA256 | e0ba5fab6b8c8001696856c0e1255fbeb1589925b4fdf4561f05dbef000b06a9 |
| SHA512 | a4dec9c687a8dda095c9a5b413a9de2d15f588d4227fa8212db7bca647c3eed97faec27d08db07c66ef1d1e211f4e74efeb3b721b0ed7dfe3ff3986e88d6524a |
C:\Program Files (x86)\Instant Access\DesktopIcons\NoCreditCard.lnk
| MD5 | c2abc8d78153f0af3ed8dfd28fde7012 |
| SHA1 | 046e93d5ffde6cc19f4003972ce03979a763eff3 |
| SHA256 | 59d3699e07144dd3dc71e2b2be331ec9c8d9e2f734d17021680b4e31bd40386b |
| SHA512 | 426c7acee0993a360bc5e1b8297835b5a4f963ff07bb79c07a87bda80a6192ffff5b2779b5105ba12591259ee675bb262ce1c7c77992307369bc254673361a60 |