Analysis Overview
SHA256
22448123cd88a3bddb4618f31323898171b1f48d6dde9a4893a612a3037ece12
Threat Level: Shows suspicious behavior
The file 10e3441e5ea469eb34bc480ff3c9631b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
VMProtect packed file
UPX packed file
Checks computer location settings
Loads dropped DLL
Modifies WinLogon
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 05:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 05:32
Reported
2024-06-26 05:35
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sfcos.dll | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sfcos.dll | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Windows\SysWOW64\systemp | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Monday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\Tuesday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\Wednesday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\Sunday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\taskmgr.upx | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File opened for modification | C:\Program Files\Saturday | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10e3441e5ea469eb34bc480ff3c9631b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e3441e5ea469eb34bc480ff3c9631b_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\DNFÌúѪÎȶ¨°æ0728.exe.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe.bat" "
C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe
C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe
C:\Windows\SysWOW64\sfc.exe
"C:\Windows\system32\sfc.exe" /REVERT
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\del.bat
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Monday.ime",Runed
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 256
Network
Files
C:\Users\Admin\AppData\Local\Temp\Temp\DNFÌúѪÎȶ¨°æ0728.exe.bat
| MD5 | 5b7f09cf96a727e757cf4e897aa59192 |
| SHA1 | c71ba6360fc65f43bbd94d2590107a9773537b34 |
| SHA256 | 46eec230d6038c6d5c89a275e2e22a49763da944605f713f4c06314a6aa5dc80 |
| SHA512 | f7311c7efe5bbcc37f07a8af012148dc90cbbd5dda6a62e224a24a260cd88b0cdb4a4dcad3390d5509a9ab7abc5302cf97425845d0408b0a8662426abcee08be |
C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe.bat
| MD5 | 0df340b2bd974571a6473d50c2b2c2b3 |
| SHA1 | 35f72388a139df09dc9084e9525b8809069612b7 |
| SHA256 | bccbe34aa86d715920c981a37e02758395e4774718e6065241e77ecc9de186f5 |
| SHA512 | d868ee33d83ec1274a5c512dbd67f49aec81acbe674c50533293d4ee0ccc8800ec44374eea5b1161119e543fba5053071c343e23c0c5ea5148098ec80c88b769 |
\Users\Admin\AppData\Local\Temp\Temp\Compose.exe
| MD5 | a4e82698fa8835d0ce321116a91f18a1 |
| SHA1 | abf9a73952c3badb1d590d9fa1309096a1923e5d |
| SHA256 | 551cec6557fdf63e266c453129aedb237a4ce2fa43454fd28123c68076211a2a |
| SHA512 | 7569483c8a0b4c89127b3b7601cd1d88a9e3c506fa7da053d4b778ab0e8ec9d1f289ae41cd06cc639425f56cfc9d1de8c242cf9823b61045b42cb93eed0f5b3a |
memory/1700-24-0x0000000000130000-0x0000000000151000-memory.dmp
memory/2768-26-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1700-25-0x0000000000130000-0x0000000000151000-memory.dmp
memory/2768-57-0x0000000000400000-0x0000000000421000-memory.dmp
C:\del.bat
| MD5 | 50f1e023be2575395af55b326697031e |
| SHA1 | 0c9ee3b9848af401852cbb56a40b694d3e5909fd |
| SHA256 | e862d8be67eb278ceb27998c72b0a29bad7fb10808ad4aa44f62ede3abc21777 |
| SHA512 | 66fc3f470b295f3e0d2e414cf778cb9fe65da5fce43125b50989c92ebbe929e24bd32c2e37eaa3d5f923d601289f3fe0156770811b31ce1daf6c5702a55aa402 |
\Program Files\Monday.ime
| MD5 | 9d95fd1b8f6126d4e01d2042b0639d5f |
| SHA1 | 7e63f9e0eb4625f6e3c8c5797d39b81de1a82edb |
| SHA256 | 67c589b50bb426d0bd15eeeeb19b7e96923d59786676a6ded47ba27290c848f5 |
| SHA512 | 35519a9be3cc4676456e3517df937bb5c71248d4130e95cb7c21a41b71bc95fc2f1af6a781cb65a1c30fb594f1d5056e37b29a92615f3008bea1e38280a5f027 |
C:\Windows\SysWOW64\sfcos.dll
| MD5 | 84799328d87b3091a3bdd251e1ad31f9 |
| SHA1 | 64dbbe8210049f4d762de22525a7fe4313bf99d0 |
| SHA256 | f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b |
| SHA512 | 0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 05:32
Reported
2024-06-26 05:35
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10e3441e5ea469eb34bc480ff3c9631b_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sfcos.dll | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sfcos.dll | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Windows\SysWOW64\systemp | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Tuesday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\Wednesday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\Sunday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\taskmgr.upx | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File opened for modification | C:\Program Files\Saturday | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
| File created | C:\Program Files\Monday.ime | C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10e3441e5ea469eb34bc480ff3c9631b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e3441e5ea469eb34bc480ff3c9631b_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\DNFÌúѪÎȶ¨°æ0728.exe.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe.bat" "
C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe
C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe
C:\Windows\SysWOW64\sfc.exe
"C:\Windows\system32\sfc.exe" /REVERT
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\del.bat
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Monday.ime",Runed
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 672
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Temp\DNFÌúѪÎȶ¨°æ0728.exe.bat
| MD5 | 5b7f09cf96a727e757cf4e897aa59192 |
| SHA1 | c71ba6360fc65f43bbd94d2590107a9773537b34 |
| SHA256 | 46eec230d6038c6d5c89a275e2e22a49763da944605f713f4c06314a6aa5dc80 |
| SHA512 | f7311c7efe5bbcc37f07a8af012148dc90cbbd5dda6a62e224a24a260cd88b0cdb4a4dcad3390d5509a9ab7abc5302cf97425845d0408b0a8662426abcee08be |
C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe.bat
| MD5 | 0df340b2bd974571a6473d50c2b2c2b3 |
| SHA1 | 35f72388a139df09dc9084e9525b8809069612b7 |
| SHA256 | bccbe34aa86d715920c981a37e02758395e4774718e6065241e77ecc9de186f5 |
| SHA512 | d868ee33d83ec1274a5c512dbd67f49aec81acbe674c50533293d4ee0ccc8800ec44374eea5b1161119e543fba5053071c343e23c0c5ea5148098ec80c88b769 |
C:\Users\Admin\AppData\Local\Temp\Temp\Compose.exe
| MD5 | a4e82698fa8835d0ce321116a91f18a1 |
| SHA1 | abf9a73952c3badb1d590d9fa1309096a1923e5d |
| SHA256 | 551cec6557fdf63e266c453129aedb237a4ce2fa43454fd28123c68076211a2a |
| SHA512 | 7569483c8a0b4c89127b3b7601cd1d88a9e3c506fa7da053d4b778ab0e8ec9d1f289ae41cd06cc639425f56cfc9d1de8c242cf9823b61045b42cb93eed0f5b3a |
memory/3864-13-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Program Files\Saturday
| MD5 | 718839697a7121576b5b57c5672f9a63 |
| SHA1 | d9d5533dcbcc49315a0cfa8794686dd9557be2a4 |
| SHA256 | c38092edb1e2051591b542d18652c147c85b399d762f302119895fa084c23c3f |
| SHA512 | 066088bf3b63fbaae8e244dce01f6dae8a4a5cd3a820b7f4e7bd9a01c641e8d0aebc8252c32b4853f85199448b95dd5ff72771e75902d8bc85e698308718dd8e |
memory/3864-29-0x0000000000400000-0x0000000000421000-memory.dmp
\??\c:\del.bat
| MD5 | 50f1e023be2575395af55b326697031e |
| SHA1 | 0c9ee3b9848af401852cbb56a40b694d3e5909fd |
| SHA256 | e862d8be67eb278ceb27998c72b0a29bad7fb10808ad4aa44f62ede3abc21777 |
| SHA512 | 66fc3f470b295f3e0d2e414cf778cb9fe65da5fce43125b50989c92ebbe929e24bd32c2e37eaa3d5f923d601289f3fe0156770811b31ce1daf6c5702a55aa402 |
C:\Program Files\Monday.ime
| MD5 | 9d95fd1b8f6126d4e01d2042b0639d5f |
| SHA1 | 7e63f9e0eb4625f6e3c8c5797d39b81de1a82edb |
| SHA256 | 67c589b50bb426d0bd15eeeeb19b7e96923d59786676a6ded47ba27290c848f5 |
| SHA512 | 35519a9be3cc4676456e3517df937bb5c71248d4130e95cb7c21a41b71bc95fc2f1af6a781cb65a1c30fb594f1d5056e37b29a92615f3008bea1e38280a5f027 |
C:\Windows\SysWOW64\sfcos.dll
| MD5 | 98c499fccb739ab23b75c0d8b98e0481 |
| SHA1 | 0ef5c464823550d5f53dd485e91dabc5d5a1ba0a |
| SHA256 | d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087 |
| SHA512 | 9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6 |