Analysis Overview
SHA256
4faa52890c2fcfd276f09e14307b986a6f09b364a3e0e9b78c951b08e23b9931
Threat Level: Shows suspicious behavior
The file JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Checks installed software on the system
Adds Run key to start application
Drops file in System32 directory
UPX packed file
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:13
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:13
Reported
2025-01-19 12:16
Platform
win7-20241010-en
Max time kernel
148s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msimxq32.dll,AfOReqV" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\msimxq32.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
| File created | C:\Windows\SysWOW64\msimxq32.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe msimxq32.dll,AfOReqV
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 320
Network
Files
memory/2776-0-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2776-1-0x0000000000340000-0x000000000039A000-memory.dmp
memory/2776-3-0x00000000022A0000-0x0000000002326000-memory.dmp
memory/2776-2-0x00000000022A0000-0x0000000002326000-memory.dmp
memory/2776-5-0x00000000022A0000-0x0000000002326000-memory.dmp
C:\Windows\SysWOW64\msimxq32.dll
| MD5 | b61079ff3b82d5ce715dcce36f815e68 |
| SHA1 | 71a92150736132de10df4ad5a3ea2dd6a91e1292 |
| SHA256 | 8d4b07ac95d671e9db6b337c9ff5605c881845f274cc2a9f82cb447d3a2c44ca |
| SHA512 | 535ef20486069a6c3aa4b91870f8bd41f8a6c56e526005adbc185890a5db68e8c4bb8e87a435839e71495e7719968b727cb35a90bfbcba72a2ab97ca6a97f3bb |
memory/2776-12-0x0000000000400000-0x0000000000466000-memory.dmp
memory/2780-11-0x0000000010000000-0x0000000010086000-memory.dmp
memory/2776-14-0x0000000000340000-0x000000000039A000-memory.dmp
memory/2780-16-0x0000000010000000-0x0000000010086000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:13
Reported
2025-01-19 12:16
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
142s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msisdb32.dll,AfOReqV" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msisdb32.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msisdb32.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3088 wrote to memory of 4844 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3088 wrote to memory of 4844 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3088 wrote to memory of 4844 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7762705ee54de6da6b5637c4ef04f85.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe msisdb32.dll,AfOReqV
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 664
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3088-0-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3088-1-0x0000000000530000-0x000000000058A000-memory.dmp
memory/3088-2-0x0000000002810000-0x0000000002896000-memory.dmp
memory/3088-4-0x0000000002810000-0x0000000002896000-memory.dmp
memory/3088-6-0x0000000002810000-0x0000000002896000-memory.dmp
C:\Windows\SysWOW64\msisdb32.dll
| MD5 | b61079ff3b82d5ce715dcce36f815e68 |
| SHA1 | 71a92150736132de10df4ad5a3ea2dd6a91e1292 |
| SHA256 | 8d4b07ac95d671e9db6b337c9ff5605c881845f274cc2a9f82cb447d3a2c44ca |
| SHA512 | 535ef20486069a6c3aa4b91870f8bd41f8a6c56e526005adbc185890a5db68e8c4bb8e87a435839e71495e7719968b727cb35a90bfbcba72a2ab97ca6a97f3bb |
memory/4844-9-0x0000000010000000-0x0000000010086000-memory.dmp
memory/3088-3-0x0000000002810000-0x0000000002896000-memory.dmp
memory/3088-10-0x0000000000400000-0x0000000000466000-memory.dmp
memory/3088-12-0x0000000002810000-0x0000000002896000-memory.dmp
memory/3088-11-0x0000000000530000-0x000000000058A000-memory.dmp
memory/4844-13-0x0000000010000000-0x0000000010086000-memory.dmp
memory/4844-25-0x0000000010000000-0x0000000010086000-memory.dmp