Analysis Overview
SHA256
105e589ca9105d157ef06c860c0b11dc56b0f3e138c2123b804bfe400e70a1e9
Threat Level: Shows suspicious behavior
The file JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
UPX packed file
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies Internet Explorer Phishing Filter
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 19:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 19:01
Reported
2025-01-19 19:04
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3952 -ip 3952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 472
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 19:01
Reported
2025-01-19 19:04
Platform
win7-20240903-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\trivax1.Bin.exe = "C:\\trivax1.Bin\\trivax1.Bin.exe" | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\trivax1.Bin\trivax1.Bin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d045f8b1c180eb6a5ed7649412870d3a.exe"
C:\trivax1.Bin\trivax1.Bin.exe
"C:\trivax1.Bin\trivax1.Bin.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | traxbax.com | udp |
| UA | 213.155.21.32:8080 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 95.101.149.131:80 | www.microsoft.com | tcp |
| DE | 95.101.149.131:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | itunesgiftstore.com | udp |
| US | 8.8.8.8:53 | googlestat.org | udp |
| US | 8.8.8.8:53 | uploadbit.org | udp |
Files
memory/2156-0-0x000000000044B000-0x000000000044E000-memory.dmp
memory/2156-1-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2156-2-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2156-4-0x0000000000230000-0x0000000000232000-memory.dmp
memory/2156-3-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2156-5-0x0000000000400000-0x0000000000467000-memory.dmp
\trivax1.Bin\trivax1.Bin.exe
| MD5 | d045f8b1c180eb6a5ed7649412870d3a |
| SHA1 | 676d5fac152feea00a7bc5680f6df20d0abbfcf6 |
| SHA256 | 105e589ca9105d157ef06c860c0b11dc56b0f3e138c2123b804bfe400e70a1e9 |
| SHA512 | 31512d5347555af2abd4426c9d82982172637e7849f82ec59ffaa49c604566f87c6c3d81f93cae8fea06efb4171c08aecec90ebc55e142b6b375e72c4f86bb6e |
memory/2760-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2760-16-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2760-17-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2760-24-0x0000000000350000-0x0000000000395000-memory.dmp
memory/1228-21-0x000000000BAD0000-0x000000000BB15000-memory.dmp
memory/2156-20-0x000000000044B000-0x000000000044E000-memory.dmp
memory/2760-31-0x0000000000350000-0x0000000000395000-memory.dmp
C:\trivax1.Bin\config.bin
| MD5 | 96f4ed1e6523ea5fd57e457fe8e12977 |
| SHA1 | 9c48d689c0d46dd4b30f3441715a384014993be2 |
| SHA256 | 3e017d7f2bcc0fa41a28f1403d006ab19e46c209b276151c0e53ebda7fe50f64 |
| SHA512 | 51f9c662f29090a940a6d231e8bf607f43368f73e415edc3138b2ae5f47ab7fb8c96f460e0c822549923c33077c2794aa01586941cecf0f2be739f096a351a08 |
memory/2760-30-0x0000000000350000-0x0000000000395000-memory.dmp
memory/2760-26-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1228-78-0x000000000BB50000-0x000000000BB9F000-memory.dmp