Analysis Overview
SHA256
e8b8f7711195d3ff912967c82ee2a12ba710ac9e717e8ee65f268bec0734ba54
Threat Level: Known bad
The file ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-21 05:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-21 05:51
Reported
2024-09-21 05:54
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcServer32\ = "%SystemRoot%\\SysWow64\\provsvc.dll" | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E} | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\ = "Publication Services Change Data" | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| GB | 142.250.180.27:443 | storage.googleapis.com | tcp |
Files
memory/2248-0-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-1-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-3-0x0000000000AC5000-0x0000000000AC6000-memory.dmp
memory/2248-2-0x0000000002AE0000-0x0000000003516000-memory.dmp
memory/2644-10-0x0000000003810000-0x0000000003A1C000-memory.dmp
memory/2644-4-0x0000000003810000-0x0000000003A1C000-memory.dmp
memory/2644-11-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-14-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-15-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-16-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-18-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-20-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-19-0x0000000003810000-0x0000000003A1C000-memory.dmp
memory/2644-17-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-21-0x0000000003810000-0x0000000003A1C000-memory.dmp
memory/2248-22-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/2644-24-0x0000000000400000-0x0000000000E36000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-21 05:51
Reported
2024-09-21 05:54
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E} | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\ = "PrintTaskConfigurationProxyServer" | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcHandler32 | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A27F324-9F56-0449-CBBA-A65B2628998E}\InProcHandler32\ = "C:\\Windows\\SysWOW64\\Windows.Devices.Printers.Extensions.dll" | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef2db42d2fb581b3f838a01cbdea42b8_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| GB | 216.58.204.91:443 | storage.googleapis.com | tcp |
| US | 8.8.8.8:53 | 91.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/1832-1-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-3-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-4-0x0000000005100000-0x000000000530C000-memory.dmp
memory/4136-10-0x0000000005100000-0x000000000530C000-memory.dmp
memory/4136-15-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-14-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-17-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-16-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-13-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-18-0x0000000005100000-0x000000000530C000-memory.dmp
memory/4136-19-0x0000000005100000-0x000000000530C000-memory.dmp
memory/1832-20-0x0000000000400000-0x0000000000E36000-memory.dmp
memory/4136-22-0x0000000000400000-0x0000000000E36000-memory.dmp