Analysis Overview
SHA256
d0b02f2bc5e46880f67b31b7a7ab3fc8670ee3c6a0a362a52c2f10fbae8d1913
Threat Level: Known bad
The file ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
simda
Checks BIOS information in registry
Modifies WinLogon
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-20 00:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-20 00:05
Reported
2024-09-20 00:07
Platform
win7-20240903-en
Max time kernel
150s
Max time network
117s
Command Line
Signatures
simda
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\fda74849 = "àOh{X\u008f¾«‰´ª…—àüÛ\u009d]‚\u008dÿ7ô\x10¹uÌ9òrK7àò`qšzgI\u00ad[ÑãîàçMp\x18¥*\"³g\x11Ÿ¢;Ü!ô»eZ»Ü™Ì£#\x05\x10ÄvÃMEêd¼þnp\x05\x03B#f\x1cÚ" | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe"
Network
Files
memory/2460-0-0x00000000002F0000-0x0000000000342000-memory.dmp
memory/2460-1-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2460-2-0x00000000004F0000-0x000000000059A000-memory.dmp
memory/2460-4-0x00000000004F0000-0x000000000059A000-memory.dmp
memory/2460-6-0x00000000004F0000-0x000000000059A000-memory.dmp
memory/2460-12-0x00000000004F0000-0x000000000059A000-memory.dmp
memory/2460-13-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/2460-10-0x00000000004F0000-0x000000000059A000-memory.dmp
memory/2460-8-0x00000000004F0000-0x000000000059A000-memory.dmp
memory/2460-14-0x0000000002630000-0x00000000026E9000-memory.dmp
memory/2460-16-0x0000000002630000-0x00000000026E9000-memory.dmp
memory/2460-45-0x0000000001E70000-0x0000000001E71000-memory.dmp
memory/2460-44-0x0000000001E60000-0x0000000001E61000-memory.dmp
memory/2460-59-0x0000000002630000-0x00000000026E9000-memory.dmp
memory/2460-58-0x0000000001EC0000-0x0000000001EC1000-memory.dmp
memory/2460-56-0x0000000001EA0000-0x0000000001EA1000-memory.dmp
memory/2460-55-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
memory/2460-52-0x0000000001EA0000-0x0000000001EA1000-memory.dmp
memory/2460-51-0x0000000001E90000-0x0000000001E91000-memory.dmp
memory/2460-49-0x0000000001E70000-0x0000000001E71000-memory.dmp
memory/2460-48-0x0000000001E80000-0x0000000001E81000-memory.dmp
memory/2460-42-0x0000000001E40000-0x0000000001E41000-memory.dmp
memory/2460-41-0x0000000001E50000-0x0000000001E51000-memory.dmp
memory/2460-37-0x0000000001E30000-0x0000000001E31000-memory.dmp
memory/2460-35-0x0000000000870000-0x0000000000871000-memory.dmp
memory/2460-34-0x0000000000880000-0x0000000000881000-memory.dmp
memory/2460-31-0x0000000000870000-0x0000000000871000-memory.dmp
memory/2460-30-0x0000000000860000-0x0000000000861000-memory.dmp
memory/2460-28-0x0000000000840000-0x0000000000841000-memory.dmp
memory/2460-27-0x0000000000850000-0x0000000000851000-memory.dmp
memory/2460-24-0x0000000000840000-0x0000000000841000-memory.dmp
memory/2460-23-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/2460-21-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2460-20-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2460-19-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2460-17-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2460-61-0x00000000002F0000-0x0000000000342000-memory.dmp
memory/2460-62-0x0000000000400000-0x000000000045F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-20 00:05
Reported
2024-09-20 00:07
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
136s
Command Line
Signatures
simda
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\12411206 = "D™±s*\x12?šy$Þ°t3n(…÷\x15n\aÚ\r&|1\x18OƒÕ¨Œ\x05YfÙ\u0081a«ÊX»^\x02w|é¯@F<ï,f€´ÄCepÉ'\x01\x1bç\\\x1d¤ {mwµt\\w\x12‹÷ªE´ê¬\x0fõéîu6;ïWéá~F’‘!³»\t\u0081\u0081½ƒ“\x05yyVÕ{_åÛ•A‰ïS\x016?\nÉÖ…AÂÂmŠaK#‰1©f¶!\x01\x06‰ÅáÊÞ‹R{\t_âáA\x1eFš-ª%ÎÉåF\x01\u009dé\x12³Õ‘W.¿æ›º–\x1f\vµñÝf'\tã·\x11áKa–¦ã;Òò\x02\x16iB–f†\x1e\x7f3¾EÎ\x16µQ\"f†k)/¡¹\u0081=\x03ó×\"E¾Ÿ6[¦‰Ê¥¶…¥ï\x15æï·ÆÚ1.]C\x1e’.aù" | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec725e6f7355c934e22abb9d81da7f65_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3268-0-0x0000000002230000-0x0000000002282000-memory.dmp
memory/3268-1-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3268-2-0x0000000002330000-0x00000000023DA000-memory.dmp
memory/3268-3-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/3268-4-0x0000000002840000-0x00000000028F9000-memory.dmp
memory/3268-48-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/3268-46-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/3268-45-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/3268-42-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/3268-41-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
memory/3268-39-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
memory/3268-38-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
memory/3268-17-0x0000000002A50000-0x0000000002A51000-memory.dmp
memory/3268-11-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/3268-10-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/3268-9-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/3268-7-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/3268-49-0x0000000002840000-0x00000000028F9000-memory.dmp
memory/3268-35-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
memory/3268-34-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
memory/3268-32-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/3268-31-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
memory/3268-27-0x0000000002A90000-0x0000000002A91000-memory.dmp
memory/3268-25-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/3268-24-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/3268-22-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/3268-20-0x0000000002A60000-0x0000000002A61000-memory.dmp
memory/3268-18-0x0000000002A40000-0x0000000002A41000-memory.dmp
memory/3268-14-0x0000000002A40000-0x0000000002A41000-memory.dmp
memory/3268-13-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/3268-6-0x0000000002840000-0x00000000028F9000-memory.dmp
memory/3268-51-0x0000000002230000-0x0000000002282000-memory.dmp
memory/3268-52-0x0000000000400000-0x000000000045F000-memory.dmp