Analysis Overview
SHA256
f49e8cfd307af20bf391126c25c801c0c1fe96f08b725de7cbd1f539a805209d
Threat Level: Shows suspicious behavior
The file 8eae60fba1baabbe66a794be50ca376b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks whether UAC is enabled
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 02:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 02:25
Reported
2024-11-04 04:55
Platform
win7-20240903-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2280 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2280 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2280 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 172
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 02:25
Reported
2024-11-04 04:54
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWow64\nsinet.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\nsinet.exe | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\nsinet.exe | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button1.gif | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button4.gif | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button3.gif | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\dialerexe.ini | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\DesktopIcons\SuperBabes.lnk | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Center\tray1.ico | C:\Windows\SysWow64\nsinet.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\Common\module.php | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\button2.gif | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\medias\dialer.ico | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\js\js_api_dialer.php | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20081127191147\instant access.exe | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Center\SuperBabes.lnk | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Instant Access\Center\SuperBabes.lnk | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\dialexe.zl | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\dialexe.epk | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\dialerexe.ini | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\nsinet.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9} | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF1C8E21-4045-4D67-B528-335F1A4F0DE9}\LocalServer32\ = "C:\\Windows\\SysWow64\\nsinet.exe /run" | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8eae60fba1baabbe66a794be50ca376b_JaffaCakes118.exe"
C:\Windows\SysWow64\nsinet.exe
C:\Windows\SysWow64\nsinet.exe /run -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4212-0-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4212-1-0x0000000010000000-0x000000001004C000-memory.dmp
memory/4212-3-0x0000000010000000-0x000000001004C000-memory.dmp
memory/4212-5-0x0000000000400000-0x0000000000448908-memory.dmp
memory/4212-4-0x0000000010000000-0x000000001004C000-memory.dmp
C:\Windows\dialerexe.ini
| MD5 | 5db3292eb66934e506b0641a9a21163c |
| SHA1 | f7b8bcfa24705ea914ebd458fcc7ad573cd9e718 |
| SHA256 | 0be1e5a749bf507214f9eff565e639182e12a543945762f65ffba6ad963854f2 |
| SHA512 | da9e9f825b12961437a2ae5c9116d5298cdb3aa1b44a654c86d88c46d7fd79c04d518acbe76cc1b866b84f9e950aa3546340804a5a602712f9770a92ef96e192 |
C:\Program Files (x86)\Instant Access\Multi\20081127191147\instant access.exe
| MD5 | 8eae60fba1baabbe66a794be50ca376b |
| SHA1 | 679660ed5d2db29597f6c01c71ad3133e413e1d2 |
| SHA256 | f49e8cfd307af20bf391126c25c801c0c1fe96f08b725de7cbd1f539a805209d |
| SHA512 | 02d2b1c08ef6d5968b3bce4ac3ede220e8d4394e71a822b3d148937071c5a9c7e74670e64536ae3fee7fe3f50f7eea8a2b1bc4e4bf12c2ccaba0940b5a63abfe |
C:\Program Files (x86)\Instant Access\DesktopIcons\SuperBabes.lnk
| MD5 | 96890fa4e8f3b9a96c21e3d8ee73904d |
| SHA1 | 6c509f1ddeeeef7c933fcecb29897433704c4173 |
| SHA256 | fb753b089fdf4bdd5e519a1b8da4e4ca6fb4e329b0617005984049de36277bc6 |
| SHA512 | e412f2ba64dff2ba0fbeb313f9d4ddea64cb66cb671d30bda6b7edf137de380fbedd3fa6f495c923e91157f3bd32edc288667d31b5b37b2c6c13e416d56cabca |
C:\Program Files (x86)\Instant Access\Multi\20081127191147\Common\module.php
| MD5 | 38cd8b10bf16640a9d8734a7ee018908 |
| SHA1 | 60f75378e573d259daec6e4bf02975e39245ac5a |
| SHA256 | 53774fd7e7b48c4489d750b021a3d564e075ac84fd10fc3c8c6aa7affdd50d16 |
| SHA512 | 9f5042200c2f819599ef23de9fa4543d21d57fc074c34dc5c7c70e13cc3c4fc2bc1c015a84310429cf527e455a0ff83897e90da458b4575b0777a93676761528 |
memory/1592-65-0x0000000000400000-0x0000000000448908-memory.dmp
memory/1592-70-0x0000000010000000-0x000000001004C000-memory.dmp
memory/4212-72-0x0000000000400000-0x000000000041B000-memory.dmp