Analysis Overview
SHA256
f49999ebc7d42541f55b907fc3dad89990eee0bd7f77cec66760bfb1b73e8d10
Threat Level: Shows suspicious behavior
The file JaffaCakes118_4372bf8109ce46e1043ea597a55a5763 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Deletes itself
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:34
Reported
2025-01-27 20:37
Platform
win7-20241023-en
Max time kernel
123s
Max time network
131s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\alg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\alg.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
| File created | C:\Windows\alg.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\alg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\alg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadNetworkName = "Network 3" | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5 | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\22-73-d8-da-7a-f5 | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadDecisionReason = "1" | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5\WpadDecisionReason = "1" | C:\Windows\alg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\alg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\alg.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\alg.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadDecisionTime = 40506cf1fa70db01 | C:\Windows\alg.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5\WpadDecisionTime = 40506cf1fa70db01 | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5} | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadDecision = "0" | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5\WpadDecision = "0" | C:\Windows\alg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\alg.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0117000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\alg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1236 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1236 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1236 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1236 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe"
C:\Windows\alg.exe
"C:\Windows\alg.exe" /service
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a$$.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.51299.org | udp |
| US | 3.33.130.190:80 | www.51299.org | tcp |
| US | 3.33.130.190:80 | www.51299.org | tcp |
| US | 3.33.130.190:80 | www.51299.org | tcp |
| US | 3.33.130.190:80 | www.51299.org | tcp |
Files
memory/1236-0-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1236-1-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\alg.exe
| MD5 | 4372bf8109ce46e1043ea597a55a5763 |
| SHA1 | 135dd2a511c6b7515768b0973a5a4575ccddaa3e |
| SHA256 | f49999ebc7d42541f55b907fc3dad89990eee0bd7f77cec66760bfb1b73e8d10 |
| SHA512 | 6e3de390deac8afb60383f58d5bad25ef40e71121d0c92e9c0d79a6a68dea7057cbcf577027d8d7bca8470b0b1e7eded3c98bc77ac6f9ed7370c8b91a44d5841 |
C:\Users\Admin\AppData\Local\Temp\$$a$$.bat
| MD5 | b2e44fe40c43b7cec146c22d81c2cab0 |
| SHA1 | 9066f9fba27532e59a46fb5dee83b893af9eaa73 |
| SHA256 | ef92d3db27d889102fe1036ad0012a9df8c21eba8fbfb1aac17493efccd9b1a1 |
| SHA512 | 0ef4ace5dcc235d35f31965982ed8c2992ab0715f0572990633a9b9eed4667eb49193eb0ba0b0e1027fb6b0bc52ec9d36eb38ea0ab7b8f84d65d4fd196077bc4 |
memory/1236-14-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2340-16-0x0000000000400000-0x000000000047E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:34
Reported
2025-01-28 02:45
Platform
win10v2004-20241007-en
Max time kernel
121s
Max time network
143s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\alg.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
| File created | C:\Windows\alg.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\alg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\alg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\alg.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\alg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5008 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5008 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4372bf8109ce46e1043ea597a55a5763.exe"
C:\Windows\alg.exe
"C:\Windows\alg.exe" /service
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a$$.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.51299.org | udp |
| US | 15.197.148.33:80 | www.51299.org | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 15.197.148.33:80 | www.51299.org | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 15.197.148.33:80 | www.51299.org | tcp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 15.197.148.33:80 | www.51299.org | tcp |
Files
memory/5008-0-0x0000000000400000-0x000000000047E000-memory.dmp
memory/5008-1-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\alg.exe
| MD5 | 4372bf8109ce46e1043ea597a55a5763 |
| SHA1 | 135dd2a511c6b7515768b0973a5a4575ccddaa3e |
| SHA256 | f49999ebc7d42541f55b907fc3dad89990eee0bd7f77cec66760bfb1b73e8d10 |
| SHA512 | 6e3de390deac8afb60383f58d5bad25ef40e71121d0c92e9c0d79a6a68dea7057cbcf577027d8d7bca8470b0b1e7eded3c98bc77ac6f9ed7370c8b91a44d5841 |
memory/5008-10-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$$a$$.bat
| MD5 | b2e44fe40c43b7cec146c22d81c2cab0 |
| SHA1 | 9066f9fba27532e59a46fb5dee83b893af9eaa73 |
| SHA256 | ef92d3db27d889102fe1036ad0012a9df8c21eba8fbfb1aac17493efccd9b1a1 |
| SHA512 | 0ef4ace5dcc235d35f31965982ed8c2992ab0715f0572990633a9b9eed4667eb49193eb0ba0b0e1027fb6b0bc52ec9d36eb38ea0ab7b8f84d65d4fd196077bc4 |
memory/2936-12-0x0000000000400000-0x000000000047E000-memory.dmp