Analysis Overview
SHA256
e7f547a1c4b5a322747bcbfcef945029971c0228c1bbf0cf43daf995c7da8b51
Threat Level: Known bad
The file JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da was found to be: Known bad.
Malicious Activity Summary
Detected google phishing page
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-03 15:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-03 15:53
Reported
2025-02-03 15:55
Platform
win7-20240903-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Detected google phishing page
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system.exe | N/A |
| N/A | N/A | C:\Windows\system.exe | N/A |
| N/A | N/A | C:\Windows\system.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| N/A | N/A | C:\Windows\system.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | sites.google.com | N/A | N/A |
| N/A | sites.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC | C:\Windows\system.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1FRIXI3K.txt | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1FRIXI3K.txt | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\B6ACAWP6.txt | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\B6ACAWP6.txt | C:\Windows\system.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File opened for modification | C:\Windows\system.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File created | C:\Windows\uninstal.bat | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\system.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadDecisionTime = 40fa24c25376db01 | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-46-be-a6-e5-17\WpadDecisionTime = 40fa24c25376db01 | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7} | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\system.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadDecisionReason = "1" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadNetworkName = "Network 3" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-46-be-a6-e5-17 | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-46-be-a6-e5-17\WpadDecisionReason = "1" | C:\Windows\system.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\WpadDecision = "0" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2628585F-3796-4199-A150-A419D2D90FD7}\16-46-be-a6-e5-17 | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"
C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
C:\Windows\system.exe
C:\Windows\system.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\uninstal.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sites.google.com | udp |
| DE | 172.217.18.14:80 | sites.google.com | tcp |
| DE | 172.217.18.14:443 | sites.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.186.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| DE | 142.250.186.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 142.251.173.84:443 | accounts.google.com | tcp |
Files
memory/1016-1-0x00000000004A0000-0x00000000004F4000-memory.dmp
memory/1016-0-0x0000000010000000-0x00000000100C1000-memory.dmp
memory/1016-10-0x0000000003130000-0x0000000003131000-memory.dmp
memory/1016-2-0x0000000000410000-0x0000000000411000-memory.dmp
memory/1016-30-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1016-29-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1016-28-0x0000000003110000-0x0000000003114000-memory.dmp
memory/1016-27-0x0000000001E20000-0x0000000001E21000-memory.dmp
memory/1016-26-0x0000000001E30000-0x0000000001E31000-memory.dmp
memory/1016-25-0x0000000001DC0000-0x0000000001DC1000-memory.dmp
memory/1016-24-0x0000000001DD0000-0x0000000001DD1000-memory.dmp
memory/1016-23-0x0000000001DF0000-0x0000000001DF1000-memory.dmp
memory/1016-22-0x0000000001E10000-0x0000000001E11000-memory.dmp
memory/1016-21-0x0000000000500000-0x0000000000501000-memory.dmp
memory/1016-20-0x0000000001DA0000-0x0000000001DA1000-memory.dmp
memory/1016-19-0x0000000000540000-0x0000000000541000-memory.dmp
memory/1016-18-0x0000000000550000-0x0000000000551000-memory.dmp
memory/1016-17-0x0000000000480000-0x0000000000481000-memory.dmp
memory/1016-16-0x0000000000490000-0x0000000000491000-memory.dmp
memory/1016-15-0x0000000001D90000-0x0000000001D91000-memory.dmp
memory/1016-14-0x0000000000510000-0x0000000000511000-memory.dmp
memory/1016-13-0x0000000000530000-0x0000000000531000-memory.dmp
memory/1016-12-0x0000000003120000-0x0000000003122000-memory.dmp
memory/1016-11-0x0000000000460000-0x0000000000461000-memory.dmp
memory/1016-9-0x0000000003130000-0x0000000003131000-memory.dmp
memory/1016-8-0x0000000000420000-0x0000000000421000-memory.dmp
memory/1016-7-0x0000000000440000-0x0000000000441000-memory.dmp
memory/1016-6-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1016-5-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1016-4-0x0000000000450000-0x0000000000451000-memory.dmp
memory/1016-3-0x0000000000280000-0x0000000000281000-memory.dmp
\Users\Admin\AppData\Local\Temp\temp.exe
| MD5 | 2cb734d6e80d55630dbefbdb58a9cfe2 |
| SHA1 | 6f66e6ba349448a107720312f8a21043389034d3 |
| SHA256 | 959ed1fcdf9476c97a155f5f2cc349b9fc2aa19e7e9d5c6dc2974d8a895cc030 |
| SHA512 | 8a5dacb4c1c042e029c7ad2d8e05fced89c17bcc0d0a6952417272927ddd9ecfe4147b11798dce0b8bfc52aa5d55d7bee598fa510b262cb13896dba88271d1b1 |
memory/1016-41-0x0000000010000000-0x00000000100C1000-memory.dmp
memory/1016-40-0x00000000004A0000-0x00000000004F4000-memory.dmp
C:\Windows\uninstal.bat
| MD5 | d844dfb0f997e4d32cdb6dafa4d7717a |
| SHA1 | eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec |
| SHA256 | 0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a |
| SHA512 | fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5 |
memory/2404-55-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/2120-76-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/2120-80-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/2120-81-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/2120-85-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/2120-89-0x0000000000400000-0x00000000004D206F-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-03 15:53
Reported
2025-02-03 15:55
Platform
win10v2004-20250129-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detected google phishing page
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system.exe | N/A |
| N/A | N/A | C:\Windows\system.exe | N/A |
| N/A | N/A | C:\Windows\system.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| N/A | N/A | C:\Windows\system.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | sites.google.com | N/A | N/A |
| N/A | sites.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC | C:\Windows\system.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\system.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File created | C:\Windows\uninstal.bat | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File created | C:\Windows\system.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P | C:\Windows\system.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4828 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe |
| PID 4828 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe |
| PID 4828 wrote to memory of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe |
| PID 4580 wrote to memory of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4580 wrote to memory of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4580 wrote to memory of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"
C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
C:\Windows\system.exe
C:\Windows\system.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sites.google.com | udp |
| DE | 172.217.18.14:80 | sites.google.com | tcp |
| DE | 172.217.18.14:443 | sites.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.186.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| DE | 142.250.186.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 67.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.18.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 142.251.173.84:443 | accounts.google.com | tcp |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 84.173.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
Files
memory/4828-0-0x0000000010000000-0x00000000100C1000-memory.dmp
memory/4828-1-0x0000000002240000-0x0000000002294000-memory.dmp
memory/4828-28-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/4828-27-0x0000000000590000-0x0000000000591000-memory.dmp
memory/4828-26-0x0000000003360000-0x0000000003364000-memory.dmp
memory/4828-25-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/4828-24-0x0000000002430000-0x0000000002431000-memory.dmp
memory/4828-23-0x0000000002450000-0x0000000002451000-memory.dmp
memory/4828-22-0x0000000002470000-0x0000000002471000-memory.dmp
memory/4828-21-0x0000000002490000-0x0000000002491000-memory.dmp
memory/4828-20-0x00000000023A0000-0x00000000023A1000-memory.dmp
memory/4828-19-0x0000000002410000-0x0000000002411000-memory.dmp
memory/4828-18-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/4828-17-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/4828-16-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/4828-15-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/4828-14-0x0000000002400000-0x0000000002401000-memory.dmp
memory/4828-13-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/4828-12-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/4828-11-0x0000000003370000-0x0000000003372000-memory.dmp
memory/4828-10-0x0000000000A50000-0x0000000000A51000-memory.dmp
memory/4828-9-0x0000000003380000-0x0000000003381000-memory.dmp
memory/4828-8-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/4828-7-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/4828-6-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/4828-5-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/4828-4-0x0000000000A40000-0x0000000000A41000-memory.dmp
memory/4828-3-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/4828-2-0x0000000000A10000-0x0000000000A11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp.exe
| MD5 | 2cb734d6e80d55630dbefbdb58a9cfe2 |
| SHA1 | 6f66e6ba349448a107720312f8a21043389034d3 |
| SHA256 | 959ed1fcdf9476c97a155f5f2cc349b9fc2aa19e7e9d5c6dc2974d8a895cc030 |
| SHA512 | 8a5dacb4c1c042e029c7ad2d8e05fced89c17bcc0d0a6952417272927ddd9ecfe4147b11798dce0b8bfc52aa5d55d7bee598fa510b262cb13896dba88271d1b1 |
memory/4828-37-0x0000000010000000-0x00000000100C1000-memory.dmp
memory/4828-40-0x0000000002240000-0x0000000002294000-memory.dmp
memory/4580-45-0x0000000000400000-0x00000000004D206F-memory.dmp
C:\Windows\uninstal.bat
| MD5 | d844dfb0f997e4d32cdb6dafa4d7717a |
| SHA1 | eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec |
| SHA256 | 0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a |
| SHA512 | fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5 |
memory/5068-64-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/5068-68-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/5068-72-0x0000000000400000-0x00000000004D206F-memory.dmp
memory/5068-76-0x0000000000400000-0x00000000004D206F-memory.dmp