Malware Analysis Report

2024-12-07 14:58

Sample ID 241002-h9k5tstfqm
Target 0988c935717178e91e8acd06450283a2_JaffaCakes118
SHA256 a4dfc90bf63745e6c476ccdd748cb097064b4334478a6cc08ab517f67e6cf13d
Tags
discovery exploit upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a4dfc90bf63745e6c476ccdd748cb097064b4334478a6cc08ab517f67e6cf13d

Threat Level: Likely malicious

The file 0988c935717178e91e8acd06450283a2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit upx

Possible privilege escalation attempt

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Uses the VBS compiler for execution

Checks computer location settings

Modifies file permissions

UPX packed file

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 07:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 07:26

Reported

2024-10-02 07:28

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\temp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\temp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A
N/A N/A C:\bootsect.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Uses the VBS compiler for execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\bootsect.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\temp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\temp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\temp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\temp.exe
PID 2872 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\temp.exe
PID 2872 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\temp.exe
PID 2872 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\temp.exe
PID 3024 wrote to memory of 2608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2132 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1276 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1276 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1276 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2132 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\bootsect.exe
PID 1944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\bootsect.exe
PID 1944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\bootsect.exe
PID 1944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\bootsect.exe
PID 2132 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1912 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1912 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1912 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2132 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\temp.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 844 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 844 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 844 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gazv90lv.cmdline"

C:\Users\Admin\AppData\Roaming\temp.exe

"C:\Users\Admin\AppData\Roaming\temp.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE966.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"

C:\bootsect.exe

C:\bootsect.exe /nt60 SYS /force

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk"

C:\Windows\SysWOW64\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV"

C:\Windows\SysWOW64\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV

Network

N/A

Files

memory/2872-0-0x0000000001170000-0x00000000014DA000-memory.dmp

memory/2872-9-0x0000000076264000-0x0000000076265000-memory.dmp

memory/2872-10-0x0000000076250000-0x0000000076360000-memory.dmp

memory/2872-11-0x0000000076250000-0x0000000076360000-memory.dmp

memory/2872-12-0x0000000076250000-0x0000000076360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gazv90lv.cmdline

MD5 bb406a95d4c6233a5bc504818537873a
SHA1 b0fe8b350a01a00b634814b2b7b878ce1a7d1f6d
SHA256 45b38d5b25b64c5976ca2bcb6c835a44313b41e9ded4a38500feb0ce269a8dee
SHA512 3c40ffd0196b75ccf868dc9312d835dc49fb1bdec70c5b03a0502066abb0faa32f5a2a27c58cb5b4d9dafebc3101c121dd91993a3eb3c19e95722c9e7429fccc

memory/3024-18-0x0000000076250000-0x0000000076360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gazv90lv.0.vb

MD5 f376af31deadaf2deeded400b19e6c85
SHA1 e6b7552076f57f2712e0a1b137c0b829954f4738
SHA256 4c91daef9324fb4744f8a4e904bdedd0f9703c5ab758d7ed717c8f6ced8a9c0a
SHA512 02c152b01397f424d44f3fd4ed73e04365468ad7fd2861a796d788de7f549ab068359e66d21b632c42a8a8b02446867af67dda090582a61ab175a3969aac4aef

\Users\Admin\AppData\Roaming\temp.exe

MD5 c4d6d3633382fe25a25aa4ee12a19560
SHA1 c6fd5d70f7609c589757fac45811dd7c1c63f93a
SHA256 27b4ea627778b5f75622daab8c736f4024778b69ca93f2ec940e3d44107902d6
SHA512 7b4d1471e2c79d9b23c6fda2d0388ffdfad174f6624625df14e86be16c345696640d43564848fdc9a4a0e228c2c70d783f936e1b11a8510ec8efb533b35b6aa7

memory/2132-26-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2872-24-0x00000000088A0000-0x0000000008AC3000-memory.dmp

memory/2132-76-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

memory/2132-68-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

memory/2132-60-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2132-52-0x00000000003D0000-0x00000000003E1000-memory.dmp

memory/2132-44-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2132-36-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/2132-28-0x00000000002A0000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESE966.tmp

MD5 c7ec7c78d41236384c986863ffecf15e
SHA1 82eb65753fefa29c0ef0601ed3047b128f0cd40e
SHA256 2c0c1398ec3fd50c126051ed7ae9b47a2b2244bb9c03f1bd4ee46f35161824f8
SHA512 bb38e9f696d9e5b08039980211373731586b4036427920c42d4e2639d19fb85300f9d4402c4fcb2c6d266df8b20886de6094d85fc82e35056f99fd2db5fdc422

C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp

MD5 3657a9ea37c4879952df6e111d56c5b1
SHA1 1f39680bdb12a7064a7c2bc23737a70d8ac81d31
SHA256 e1a507cb7106b4b8fc401e8881f9b55fa425f1f4394e9073097fe551eb357a31
SHA512 3c6e5801c6290c79ee24f18573135e6f99ad949fc7b38c2092558eb64187c7264fc7553c8c6ee207b3c4e781d5e1cc152f70f4507c37e2e7ee938a8984272a44

C:\Users\Admin\AppData\Local\Temp\gazv90lv.dll

MD5 ece057a5d2c1d62ad3450728c7219b22
SHA1 1ae530ba9eb0645a715362d1629b2562de7d58e3
SHA256 cfa8762ea791e0b0f8a3c58ea9f5335ad34d83b4dbe682427e03f9eab0b34b30
SHA512 87e52199c023aff0917225d01115d808057f553b61a8756f29f7f35afb568c17b449da980390d6749a6db8957bf61124e3572deb18621af3331a0ee21c90edf9

memory/3024-91-0x0000000076250000-0x0000000076360000-memory.dmp

memory/2872-94-0x0000000076250000-0x0000000076360000-memory.dmp

memory/2872-95-0x00000000088A0000-0x0000000008A60000-memory.dmp

memory/2132-97-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2132-98-0x0000000000400000-0x0000000000623000-memory.dmp

C:\bootsect.exe

MD5 17b18a2feb3dcfe8a165af86ebc29fe7
SHA1 bf00a8ef28200a3bbc73633b360e1484ee2874d5
SHA256 99c4970f1f4b9dc50a5db9ff6f3a581754a1631f0751bdec2b5e3a261f35d85a
SHA512 034e809a3f2a2eaa633b7c1c9bffd0ac65041bf0a3fc6ba861e281712cdcb1e063d6c29e562bdc864e1963466ebcec9e30475907bea80a67ab48111ae583e65c

memory/2508-104-0x0000000001000000-0x000000000101B000-memory.dmp

memory/2132-105-0x0000000000400000-0x0000000000623000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 07:26

Reported

2024-10-02 07:28

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\temp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\temp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A

Uses the VBS compiler for execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\temp.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\temp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\temp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\temp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1952 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1952 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4476 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4476 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4476 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1952 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\temp.exe
PID 1952 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\temp.exe
PID 1952 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\temp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee-0maks.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF898.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3270B708101946D085A5E678B42B5688.TMP"

C:\Users\Admin\AppData\Roaming\temp.exe

"C:\Users\Admin\AppData\Roaming\temp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1952-1-0x0000000001160000-0x00000000014CA000-memory.dmp

memory/1952-10-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/1952-9-0x0000000075310000-0x0000000075311000-memory.dmp

memory/1952-11-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/1952-12-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/1952-13-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/1952-15-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/1952-14-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/1952-16-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/1952-17-0x00000000752F0000-0x00000000753E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ee-0maks.cmdline

MD5 317c03a5a11e395837508da657b798e6
SHA1 65c48b14f8d0b6a0f3c1a7aec1265237f0e9d542
SHA256 d530d3462dc390c3886f98617d7674300d0e553f58ce87b34b0ac4603c0bd642
SHA512 6f17b0e6ab3bca9f8faff769d095714da4988e5212166f568a2838f26be43c3faf3a48bcd0912682dedaf093d4eaa155d5aa3d972401899b5036ca89daba1c1c

C:\Users\Admin\AppData\Local\Temp\ee-0maks.0.vb

MD5 f376af31deadaf2deeded400b19e6c85
SHA1 e6b7552076f57f2712e0a1b137c0b829954f4738
SHA256 4c91daef9324fb4744f8a4e904bdedd0f9703c5ab758d7ed717c8f6ced8a9c0a
SHA512 02c152b01397f424d44f3fd4ed73e04365468ad7fd2861a796d788de7f549ab068359e66d21b632c42a8a8b02446867af67dda090582a61ab175a3969aac4aef

C:\Users\Admin\AppData\Roaming\temp.exe

MD5 c4d6d3633382fe25a25aa4ee12a19560
SHA1 c6fd5d70f7609c589757fac45811dd7c1c63f93a
SHA256 27b4ea627778b5f75622daab8c736f4024778b69ca93f2ec940e3d44107902d6
SHA512 7b4d1471e2c79d9b23c6fda2d0388ffdfad174f6624625df14e86be16c345696640d43564848fdc9a4a0e228c2c70d783f936e1b11a8510ec8efb533b35b6aa7

C:\Users\Admin\AppData\Local\Temp\vbc3270B708101946D085A5E678B42B5688.TMP

MD5 33f7a93ed8e2d4555c5e65cde9418a73
SHA1 506806ff2887a0ce9d6a78aaf440b363116f47fe
SHA256 d123170653233134d4b14cd08a4e379db5e41418774d6a5f8de005bdeedbb1da
SHA512 dbe945579eeadf5378e7ea148c0cab0732c728446cd3bf82876e2f6a84f8a94324937777aaa1f45386a61822e4c92715275e59c37b7e7de8a11da724d32c1951

C:\Users\Admin\AppData\Local\Temp\RESF898.tmp

MD5 1d08dd3535e517108d103774d756c7b4
SHA1 f48b5ba573681122c2dd0ef45f9f9ecf094dd774
SHA256 c9f7c2876fe68656c7ca75049dde7bf20475419dc543a68ec85008aa045d3436
SHA512 b235191c911fef6ce4de105070f3b903134301abccb05c5ab37fd0911984c07b5fb1c0448c021e604fdd5540d448ea21a16c4db14bf53ca8f501cc5e255d57db

memory/4476-38-0x00000000752F0000-0x00000000753E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ee-0maks.dll

MD5 fc992a01b38c22fd2fa5ab4bd83b20b9
SHA1 961d4b9ef73eaa6d6e84fa2ea0a31fd53862daa0
SHA256 96f28cdd93a047c39c819754fe385dfe1ed73daec9aeb35bc10b7047be4383ec
SHA512 926e92cd702a1147ca0c040ad1111e8d27c2afa05dfb66b29d89985dd1af46e0c1e9fdfbf847ab515ed6e564e36687c73fd28f90fea09814ad34eeb8f72979c8

memory/4356-45-0x0000000000400000-0x0000000000623000-memory.dmp

memory/1952-46-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/4356-47-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/4356-56-0x0000000000830000-0x0000000000840000-memory.dmp

memory/4356-72-0x0000000002D70000-0x0000000002D81000-memory.dmp

memory/4356-96-0x0000000002DB0000-0x0000000002DD0000-memory.dmp

memory/4356-88-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/4356-80-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/4356-64-0x0000000010000000-0x0000000010021000-memory.dmp

memory/4356-48-0x0000000002A10000-0x0000000002A21000-memory.dmp

memory/4356-104-0x0000000000400000-0x0000000000623000-memory.dmp

memory/4356-106-0x00000000752F0000-0x00000000753E0000-memory.dmp

memory/4356-107-0x0000000000400000-0x0000000000623000-memory.dmp

memory/4356-108-0x0000000000400000-0x0000000000623000-memory.dmp

memory/4356-109-0x0000000000400000-0x0000000000623000-memory.dmp

memory/4356-110-0x0000000000400000-0x0000000000623000-memory.dmp