Malware Analysis Report

2025-03-14 21:46

Sample ID 250203-tbqs7svqh1
Target JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da
SHA256 e7f547a1c4b5a322747bcbfcef945029971c0228c1bbf0cf43daf995c7da8b51
Tags
google discovery phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7f547a1c4b5a322747bcbfcef945029971c0228c1bbf0cf43daf995c7da8b51

Threat Level: Known bad

The file JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da was found to be: Known bad.

Malicious Activity Summary

google discovery phishing

Detected google phishing page

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-03 15:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-03 15:53

Reported

2025-02-03 15:55

Platform

win7-20240903-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"

Signatures

Detected google phishing page

phishing google
Description Indicator Process Target
N/A N/A C:\Windows\system.exe N/A
N/A N/A C:\Windows\system.exe N/A
N/A N/A C:\Windows\system.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
N/A N/A C:\Windows\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC C:\Windows\system.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1FRIXI3K.txt C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1FRIXI3K.txt C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\B6ACAWP6.txt C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\B6ACAWP6.txt C:\Windows\system.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system.exe C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
File opened for modification C:\Windows\system.exe C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
File created C:\Windows\uninstal.bat C:\Users\Admin\AppData\Local\Temp\temp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\system.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadDecisionTime = 40fa24c25376db01 C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-46-be-a6-e5-17\WpadDecisionTime = 40fa24c25376db01 C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7} C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\system.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadDecisionReason = "1" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadNetworkName = "Network 3" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-46-be-a6-e5-17 C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-46-be-a6-e5-17\WpadDecisionReason = "1" C:\Windows\system.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadDecision = "0" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\16-46-be-a6-e5-17 C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"

C:\Users\Admin\AppData\Local\Temp\temp.exe

"C:\Users\Admin\AppData\Local\Temp\temp.exe"

C:\Windows\system.exe

C:\Windows\system.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\uninstal.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 sites.google.com udp
DE 172.217.18.14:80 sites.google.com tcp
DE 172.217.18.14:443 sites.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.186.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
DE 142.250.186.67:80 o.pki.goog tcp
US 8.8.8.8:53 accounts.google.com udp
US 142.251.173.84:443 accounts.google.com tcp

Files

memory/1016-1-0x00000000004A0000-0x00000000004F4000-memory.dmp

memory/1016-0-0x0000000010000000-0x00000000100C1000-memory.dmp

memory/1016-10-0x0000000003130000-0x0000000003131000-memory.dmp

memory/1016-2-0x0000000000410000-0x0000000000411000-memory.dmp

memory/1016-30-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1016-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1016-28-0x0000000003110000-0x0000000003114000-memory.dmp

memory/1016-27-0x0000000001E20000-0x0000000001E21000-memory.dmp

memory/1016-26-0x0000000001E30000-0x0000000001E31000-memory.dmp

memory/1016-25-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

memory/1016-24-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

memory/1016-23-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

memory/1016-22-0x0000000001E10000-0x0000000001E11000-memory.dmp

memory/1016-21-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1016-20-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

memory/1016-19-0x0000000000540000-0x0000000000541000-memory.dmp

memory/1016-18-0x0000000000550000-0x0000000000551000-memory.dmp

memory/1016-17-0x0000000000480000-0x0000000000481000-memory.dmp

memory/1016-16-0x0000000000490000-0x0000000000491000-memory.dmp

memory/1016-15-0x0000000001D90000-0x0000000001D91000-memory.dmp

memory/1016-14-0x0000000000510000-0x0000000000511000-memory.dmp

memory/1016-13-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1016-12-0x0000000003120000-0x0000000003122000-memory.dmp

memory/1016-11-0x0000000000460000-0x0000000000461000-memory.dmp

memory/1016-9-0x0000000003130000-0x0000000003131000-memory.dmp

memory/1016-8-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1016-7-0x0000000000440000-0x0000000000441000-memory.dmp

memory/1016-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1016-5-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1016-4-0x0000000000450000-0x0000000000451000-memory.dmp

memory/1016-3-0x0000000000280000-0x0000000000281000-memory.dmp

\Users\Admin\AppData\Local\Temp\temp.exe

MD5 2cb734d6e80d55630dbefbdb58a9cfe2
SHA1 6f66e6ba349448a107720312f8a21043389034d3
SHA256 959ed1fcdf9476c97a155f5f2cc349b9fc2aa19e7e9d5c6dc2974d8a895cc030
SHA512 8a5dacb4c1c042e029c7ad2d8e05fced89c17bcc0d0a6952417272927ddd9ecfe4147b11798dce0b8bfc52aa5d55d7bee598fa510b262cb13896dba88271d1b1

memory/1016-41-0x0000000010000000-0x00000000100C1000-memory.dmp

memory/1016-40-0x00000000004A0000-0x00000000004F4000-memory.dmp

C:\Windows\uninstal.bat

MD5 d844dfb0f997e4d32cdb6dafa4d7717a
SHA1 eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec
SHA256 0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a
SHA512 fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

memory/2404-55-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/2120-76-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/2120-80-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/2120-81-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/2120-85-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/2120-89-0x0000000000400000-0x00000000004D206F-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-03 15:53

Reported

2025-02-03 15:55

Platform

win10v2004-20250129-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"

Signatures

Detected google phishing page

phishing google
Description Indicator Process Target
N/A N/A C:\Windows\system.exe N/A
N/A N/A C:\Windows\system.exe N/A
N/A N/A C:\Windows\system.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
N/A N/A C:\Windows\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC C:\Windows\system.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\system.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system.exe C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
File created C:\Windows\uninstal.bat C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
File created C:\Windows\system.exe C:\Users\Admin\AppData\Local\Temp\temp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Windows\system.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\temp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"

C:\Users\Admin\AppData\Local\Temp\temp.exe

"C:\Users\Admin\AppData\Local\Temp\temp.exe"

C:\Windows\system.exe

C:\Windows\system.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 sites.google.com udp
DE 172.217.18.14:80 sites.google.com tcp
DE 172.217.18.14:443 sites.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.186.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
DE 142.250.186.67:80 o.pki.goog tcp
US 8.8.8.8:53 67.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 142.251.173.84:443 accounts.google.com tcp
GB 95.101.143.184:443 www.bing.com tcp
US 8.8.8.8:53 84.173.251.142.in-addr.arpa udp
US 8.8.8.8:53 184.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp

Files

memory/4828-0-0x0000000010000000-0x00000000100C1000-memory.dmp

memory/4828-1-0x0000000002240000-0x0000000002294000-memory.dmp

memory/4828-28-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/4828-27-0x0000000000590000-0x0000000000591000-memory.dmp

memory/4828-26-0x0000000003360000-0x0000000003364000-memory.dmp

memory/4828-25-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4828-24-0x0000000002430000-0x0000000002431000-memory.dmp

memory/4828-23-0x0000000002450000-0x0000000002451000-memory.dmp

memory/4828-22-0x0000000002470000-0x0000000002471000-memory.dmp

memory/4828-21-0x0000000002490000-0x0000000002491000-memory.dmp

memory/4828-20-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/4828-19-0x0000000002410000-0x0000000002411000-memory.dmp

memory/4828-18-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/4828-17-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/4828-16-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/4828-15-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/4828-14-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4828-13-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4828-12-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4828-11-0x0000000003370000-0x0000000003372000-memory.dmp

memory/4828-10-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/4828-9-0x0000000003380000-0x0000000003381000-memory.dmp

memory/4828-8-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/4828-7-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/4828-6-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/4828-5-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/4828-4-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/4828-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/4828-2-0x0000000000A10000-0x0000000000A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\temp.exe

MD5 2cb734d6e80d55630dbefbdb58a9cfe2
SHA1 6f66e6ba349448a107720312f8a21043389034d3
SHA256 959ed1fcdf9476c97a155f5f2cc349b9fc2aa19e7e9d5c6dc2974d8a895cc030
SHA512 8a5dacb4c1c042e029c7ad2d8e05fced89c17bcc0d0a6952417272927ddd9ecfe4147b11798dce0b8bfc52aa5d55d7bee598fa510b262cb13896dba88271d1b1

memory/4828-37-0x0000000010000000-0x00000000100C1000-memory.dmp

memory/4828-40-0x0000000002240000-0x0000000002294000-memory.dmp

memory/4580-45-0x0000000000400000-0x00000000004D206F-memory.dmp

C:\Windows\uninstal.bat

MD5 d844dfb0f997e4d32cdb6dafa4d7717a
SHA1 eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec
SHA256 0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a
SHA512 fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

memory/5068-64-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/5068-68-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/5068-72-0x0000000000400000-0x00000000004D206F-memory.dmp

memory/5068-76-0x0000000000400000-0x00000000004D206F-memory.dmp