Analysis Overview
SHA256
0d124a5139362fdde526271c3dda5ced134c04951fd0328ed1122ed387783d5c
Threat Level: Shows suspicious behavior
The file JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 18:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 18:05
Reported
2025-07-04 18:07
Platform
win10v2004-20250502-en
Max time kernel
142s
Max time network
137s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe"
C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp" /SL5="$5006C,2953972,66560,C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe"
C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe" /path="C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.list.fullmedialibrary.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3988-1-0x0000000000401000-0x000000000040B000-memory.dmp
memory/3988-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UO27G.tmp\JaffaCakes118_1c7678925b36fc8def31d65103d6a9a6.tmp
| MD5 | e5ab3419ba8234f91656b6e9015e7fce |
| SHA1 | c73e80d369aed62c997a9cd509ba251d8d7875ac |
| SHA256 | 009b5f9a122e0e645680c7a207fd3a7c2c53d4609f4ca16cff0d7b02ab09c209 |
| SHA512 | fca6580f974ffea96ee4158653c19f2e26764ec9654a82c820bb29e3a5c94a1f486d43e43db064662397d8aa401f6c4aec9cfa264b1e79e6461389331c99c1fb |
memory/1916-7-0x0000000000400000-0x00000000004BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-AJ2IG.tmp\setup.exe
| MD5 | 58131cb103a51ea087004f410606a05d |
| SHA1 | 5cd47985419def794b9efe10d813c89ef1a8d69d |
| SHA256 | 35bdad85f460a45214654a8747c7c3fa8a2a3ceafdf017166dd0a69cf5969cf7 |
| SHA512 | 22d7390fb3a02db233d405b08f6db5e7983770b404f635546a326a0a252127168e875a1271103b0ebb6c5b150a9121d2ccc5f88a4faacd682c4de65e94d6971d |
memory/5248-27-0x0000000000400000-0x0000000000C33000-memory.dmp
memory/1916-31-0x0000000000400000-0x00000000004BF000-memory.dmp
memory/3988-32-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5248-33-0x0000000000400000-0x0000000000C33000-memory.dmp
memory/5248-35-0x0000000000400000-0x0000000000C33000-memory.dmp