Analysis Overview
SHA256
9795982ab78e29ee900f7c46d62d5e5b51b3814a4200e136ecc01a3d6d072db6
Threat Level: Shows suspicious behavior
The file JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 17:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 17:32
Reported
2025-07-04 17:34
Platform
win10v2004-20250502-en
Max time kernel
105s
Max time network
134s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe = "11000" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70559dbdd68a5989d6cf1d9e2cbdec.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 388 -ip 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 2648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ude.databssint.com | udp |
| US | 8.8.8.8:53 | cms.dmccint.com | udp |
| US | 8.8.8.8:53 | engine.dmccint.com | udp |
| GB | 142.250.180.14:80 | cms.dmccint.com | tcp |
| IL | 199.101.114.147:80 | engine.dmccint.com | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsm7EE6.tmp\System.dll
| MD5 | 62008374a494afeea2ee2ae9eee4c8c0 |
| SHA1 | 94808fcf0748c437f4d7ffa4d540e054cb014fab |
| SHA256 | 9c4affddfa97b268b07c00ac28a2fe617dda806bf55088ccf348da149ee76c1a |
| SHA512 | f584ed647b69ff8ff80450be8f0b267ebb3c97826dbf01d078165ea94b43afd1f00fc58b91d9e8f4d78465d70312c1b1a6ac66583ebdc009b0ce471a6cf149a0 |
C:\Users\Admin\AppData\Local\Temp\nsm7EE6.tmp\webapphost.dll
| MD5 | 6482716b29a424ade699f29560302f5d |
| SHA1 | 4d56bac748e72ce98405a7509c2bb33efe06af59 |
| SHA256 | 72e73c6a03f37c7cad227b5940d9189a63a8729ef6199ffc068f7dc234ad583f |
| SHA512 | 6c58c0e347d772e403ace72a644f395e7918907374fc557970aa617df823823427f8905bed819ac04c25d5280662c7c26e999931ea51800f8ee9f55c9b64f60d |
C:\Users\Admin\AppData\Local\Temp\nsm7EE6.tmp\DownloadACC.dll
| MD5 | dbfaba3a1329a0925530482cfd700b21 |
| SHA1 | a6a8e5000c16ba28bea645bb456c101ca19e0a70 |
| SHA256 | 45289f096984e9af391cbe7b907866f25fbe9a419bd70e435d7ef041aefb7b9f |
| SHA512 | 6bd296185dbf0aef232fa9f96d7377fd6f93dd6ccbd97ee3285732c0a897ba5ec60531845e538102fabc0cd5f7fad0c6f32f79ae88875aba58b5e52a4a3f983c |