Analysis Overview
SHA256
1476418fe69abf69d07b8824533174b4312c48da8b27bef508ab9c5fd1ef1131
Threat Level: Known bad
The file JaffaCakes118_633b0b777e7833682d3b27d889421112 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Installs/modifies Browser Helper Object
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies registry key
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:11
Reported
2025-01-15 22:14
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\addins\MediaPlay.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\REGSVR32.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass\Clsid | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\syswow64\REGSVR32.EXE
C:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll
Network
| Country | Destination | Domain | Proto |
| BR | 200.183.154.2:80 | tcp | |
| BR | 200.183.154.2:80 | tcp | |
| KR | 211.179.234.210:8000 | 211.179.234.210 | tcp |
Files
memory/2480-5-0x0000000004340000-0x0000000004752000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 22:11
Reported
2025-01-15 22:21
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\addins\MediaPlay.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\REGSVR32.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass\Clsid | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlay.sampleclass | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_633b0b777e7833682d3b27d889421112.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\REGSVR32.EXE
C:\Windows\syswow64\REGSVR32.EXE /s C:\WINDOWS\addins\MediaPlay.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| BR | 200.183.154.2:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| KR | 211.179.234.210:8000 | 211.179.234.210 | tcp |
| US | 8.8.8.8:53 | 210.234.179.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |