Analysis Overview
SHA256
c1b8f071d7ca85637086f1a38873d86937aa1b180de301ff3ef7211dcefc0922
Threat Level: Shows suspicious behavior
The file JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Maps connected drives based on registry
Adds Run key to start application
Modifies WinLogon
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:34
Reported
2025-01-27 20:36
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Wine | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Wine | C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aksjbnvbdhabnsghdhurh = "C:\\Users\\Admin\\AppData\\Roaming\\zzbrenkzz.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Users\\Admin\\AppData\\Roaming\\zzbrenkzz.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1076 set thread context of 1528 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
"C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 128
Network
Files
memory/1528-0-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1528-10-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1528-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1528-6-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1528-4-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1528-2-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1528-13-0x0000000000400000-0x0000000000411000-memory.dmp
memory/1528-12-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
| MD5 | 437298c4fbec9e4ef812f7324ffaf4b6 |
| SHA1 | 4468814c74f41a69d7cbc73c0e80edb02889c1f6 |
| SHA256 | c1b8f071d7ca85637086f1a38873d86937aa1b180de301ff3ef7211dcefc0922 |
| SHA512 | d9c2ecd4a131466cb49e77016b062e802848cdc70343d7b56a320d5c62222d816540469a58fb4110e807a1762aa4a3f902b4c97c78d1d5bd4d154273ecd6766c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:34
Reported
2025-01-28 02:42
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
141s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_437298c4fbec9e4ef812f7324ffaf4b6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 428 -ip 428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 444
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |