Analysis Overview
SHA256
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353
Threat Level: Likely malicious
The file ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks computer location settings
Executes dropped EXE
Checks BIOS information in registry
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 01:34
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 01:34
Reported
2024-04-04 01:37
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uranigger.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\uranigger.exe
"C:\Users\Admin\AppData\Local\Temp\uranigger.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 432
Network
Files
memory/2180-0-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2180-1-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2180-2-0x0000000002700000-0x0000000002740000-memory.dmp
\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/2180-9-0x00000000721C0000-0x00000000727C8000-memory.dmp
memory/2180-10-0x00000000721C0000-0x00000000727C8000-memory.dmp
memory/2180-11-0x0000000076ED0000-0x0000000076ED2000-memory.dmp
memory/2180-12-0x00000000721C0000-0x00000000727C8000-memory.dmp
memory/2180-13-0x0000000073EA0000-0x0000000073EFB000-memory.dmp
\Users\Admin\AppData\Local\Temp\uranigger.exe
| MD5 | 10b558706690282a3807ccce1b334e14 |
| SHA1 | 49b7d8c418e6cdd0cc626033b1f02b5b8dd8377e |
| SHA256 | 87d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9 |
| SHA512 | 4055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295 |
memory/2696-24-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2696-25-0x00000000002B0000-0x00000000002F0000-memory.dmp
memory/2696-26-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2180-27-0x00000000721C0000-0x00000000727C8000-memory.dmp
memory/2180-28-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2516-30-0x0000000000510000-0x0000000000511000-memory.dmp
memory/2696-31-0x0000000074020000-0x00000000745CB000-memory.dmp
memory/2696-32-0x00000000002B0000-0x00000000002F0000-memory.dmp
memory/2516-33-0x0000000000510000-0x0000000000511000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 01:34
Reported
2024-04-04 01:37
Platform
win10v2004-20240319-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uranigger.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3236 wrote to memory of 3096 | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\uranigger.exe |
| PID 3236 wrote to memory of 3096 | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\uranigger.exe |
| PID 3236 wrote to memory of 3096 | N/A | C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\uranigger.exe |
| PID 3096 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\uranigger.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
| PID 3096 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\uranigger.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
| PID 3096 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\uranigger.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\uranigger.exe
"C:\Users\Admin\AppData\Local\Temp\uranigger.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 844
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3252 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.34.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| GB | 13.105.221.15:443 | tcp | |
| US | 8.8.8.8:53 | 225.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
Files
memory/3236-0-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/3236-1-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/3236-2-0x0000000001480000-0x0000000001490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/3236-10-0x0000000072DF0000-0x00000000733F8000-memory.dmp
memory/3236-11-0x00000000777E4000-0x00000000777E6000-memory.dmp
memory/3236-12-0x0000000072DF0000-0x00000000733F8000-memory.dmp
memory/3236-13-0x0000000072DF0000-0x00000000733F8000-memory.dmp
memory/3236-14-0x0000000073BE0000-0x0000000073C3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uranigger.exe
| MD5 | 10b558706690282a3807ccce1b334e14 |
| SHA1 | 49b7d8c418e6cdd0cc626033b1f02b5b8dd8377e |
| SHA256 | 87d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9 |
| SHA512 | 4055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295 |
memory/3096-28-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/3096-29-0x00000000019E0000-0x00000000019F0000-memory.dmp
memory/3236-30-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/3096-31-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/3236-27-0x0000000072DF0000-0x00000000733F8000-memory.dmp
memory/3096-38-0x0000000074EC0000-0x0000000075471000-memory.dmp