Analysis Overview
SHA256
9d5c477d698b6378ba3f04894036c8003f7a2000046cfa274dfd6b5f6c164953
Threat Level: Likely benign
The file JaffaCakes118_4391ad8bf84c14286443dbc06374322c was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:50
Reported
2025-01-27 20:53
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fortresshacker.allalla.com | udp |
| US | 104.21.96.1:80 | fortresshacker.allalla.com | tcp |
| US | 104.21.96.1:80 | fortresshacker.allalla.com | tcp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.96.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.afternic.com | udp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
| US | 8.8.8.8:53 | 179.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/2324-0-0x000000007519E000-0x000000007519F000-memory.dmp
memory/2324-1-0x0000000000A90000-0x0000000000AD0000-memory.dmp
memory/2324-2-0x0000000005410000-0x00000000054AC000-memory.dmp
memory/2324-3-0x0000000005B20000-0x00000000060C4000-memory.dmp
memory/2324-4-0x0000000005570000-0x0000000005602000-memory.dmp
memory/2324-6-0x0000000075190000-0x0000000075940000-memory.dmp
memory/2324-5-0x0000000005510000-0x000000000551A000-memory.dmp
memory/2324-7-0x0000000005670000-0x00000000056C6000-memory.dmp
memory/2324-8-0x0000000075190000-0x0000000075940000-memory.dmp
memory/2324-9-0x0000000075190000-0x0000000075940000-memory.dmp
memory/2324-10-0x0000000075190000-0x0000000075940000-memory.dmp
memory/2324-19-0x000000007519E000-0x000000007519F000-memory.dmp
memory/2324-20-0x0000000075190000-0x0000000075940000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:50
Reported
2025-01-27 20:53
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4391ad8bf84c14286443dbc06374322c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fortresshacker.allalla.com | udp |
| US | 104.21.64.1:80 | fortresshacker.allalla.com | tcp |
| US | 104.21.64.1:80 | fortresshacker.allalla.com | tcp |
| US | 8.8.8.8:53 | www.afternic.com | udp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
| GB | 95.100.195.179:443 | www.afternic.com | tcp |
Files
memory/1868-0-0x00000000742EE000-0x00000000742EF000-memory.dmp
memory/1868-1-0x00000000013D0000-0x0000000001410000-memory.dmp
memory/1868-2-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/1868-3-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/1868-4-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/1868-5-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/1868-14-0x00000000742EE000-0x00000000742EF000-memory.dmp
memory/1868-15-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/1868-16-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/1868-17-0x00000000742E0000-0x00000000749CE000-memory.dmp