Analysis Overview
SHA256
1e3dcabb30ae28ac2e994d0b09395988eabeb16d86286ab91d7c790fa154fea9
Threat Level: Known bad
The file 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Drops file in Drivers directory
VMProtect packed file
Loads dropped DLL
Drops file in System32 directory
Drops autorun.inf file
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Program crash
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 08:03
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 08:03
Reported
2024-06-26 08:06
Platform
win7-20231129-en
Max time kernel
43s
Max time network
121s
Command Line
Signatures
Disables service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\acpiec.sys | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\pcidump.sys | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\a18467stva41a.dll | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\def26500aab6334ccd.dll | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe"
C:\Windows\SysWOW64\sc.exe
sc config ekrn start= disabled
C:\Windows\SysWOW64\sc.exe
sc config rsravmon start= disabled
C:\Windows\SysWOW64\taskkill.exe
taskkill /im ekrn.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im egui.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im 360sd.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im 360sd_se.exe /f
C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Admin\AppData\Local\Temp\ /e /p everyone:f cacls "C:\Windows" /e /p everyone:f
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\system32\a18467stva41a.dll, droqp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 320
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tj.dh7d7egr3g6as.com | udp |
Files
memory/2320-0-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Windows\SysWOW64\a18467stva41a.dll
| MD5 | c33c88aa771dd3a019608c0dfe47bdb2 |
| SHA1 | 94f5b9d14bc7506dce737ceb7db192942d311907 |
| SHA256 | 56850456721c2cacd7040f08e0f86b278423a9a3264cf4d4971d186b991db713 |
| SHA512 | c9a9327c69e3fa2a133aece1d2b9873f21986207946690b98f91f528bdd0867026467a9bc286d509f27c13ba6c5efd3df128df2925cfa037bb0496adbb24bfb6 |
memory/2320-18-0x0000000010000000-0x000000001000C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 08:03
Reported
2024-06-26 08:06
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 312
Network
Files
memory/1976-0-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1976-1-0x0000000000400000-0x0000000000431000-memory.dmp