Analysis Overview
SHA256
018094b89c13f7d35a068cfc6ab6fbb012e9588ee9d93ebad8ecc4e2a95d9878
Threat Level: Shows suspicious behavior
The file JaffaCakes118_40bec10104b213d99983caec70e6e348 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 14:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 14:57
Reported
2025-01-27 15:00
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2380 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2380 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2380 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\424.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stats-182385724-1591972470.us-east-1.elb.amazonaws.com | udp |
Files
memory/2380-0-0x0000000010000000-0x000000001010F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\424.bat
| MD5 | 1e5388a427013031d18ba3645a8d24b9 |
| SHA1 | bc24e057b7975b2bde5f1d07604420559b43eabd |
| SHA256 | dda7e67e924db0cec4076370863f832e921e7f0be6804d3c4aab1e56c577b3fa |
| SHA512 | c05e42173bec5584221467c037dfdfdf7328815c6ef4fa5efd39d1dd6dff9923950dc6c0920e090c9470f18b3141ac0c3129b8d002bd5b31e9bb9ed6027e2d14 |
C:\Users\Admin\AppData\Local\Temp\43489.exe
| MD5 | 40bec10104b213d99983caec70e6e348 |
| SHA1 | e2b6f3202589f8309d3731300da9b7f01f972cdc |
| SHA256 | 018094b89c13f7d35a068cfc6ab6fbb012e9588ee9d93ebad8ecc4e2a95d9878 |
| SHA512 | 591b32a20d6bfdae85ca4cba8c2247008042ac0ede23c150f429a954a450ced04627a229009df93161217335a9d5d12f136a82b9954f095239936e316762907b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 14:57
Reported
2025-01-27 15:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 216 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 216 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40bec10104b213d99983caec70e6e348.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\125.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stats-182385724-1591972470.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stats-182385724-1591972470.us-east-1.elb.amazonaws.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/216-0-0x0000000010000000-0x000000001010F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\125.bat
| MD5 | b027e97a400220ab39273e0b0d784957 |
| SHA1 | 13670ca0824b41663054a27b2286d6055d304c07 |
| SHA256 | 1666f9e3e83a5240e3deb8ccbe6f7a8ee420bd1034731b3e0239ca6ade2046ec |
| SHA512 | df4c843e533d21df07f871e0ac972540a8d209be97982652e28cbb1de592984a57d65ec309a9dbe003b302c72b07d653e8971407719c002024eb007b34d8b2c1 |
C:\Users\Admin\AppData\Local\Temp\43489.exe
| MD5 | 40bec10104b213d99983caec70e6e348 |
| SHA1 | e2b6f3202589f8309d3731300da9b7f01f972cdc |
| SHA256 | 018094b89c13f7d35a068cfc6ab6fbb012e9588ee9d93ebad8ecc4e2a95d9878 |
| SHA512 | 591b32a20d6bfdae85ca4cba8c2247008042ac0ede23c150f429a954a450ced04627a229009df93161217335a9d5d12f136a82b9954f095239936e316762907b |