Malware Analysis Report

2024-12-07 14:35

Sample ID 241008-mkptyasgqk
Target 21114d8c1692a12db2394276106bc665_JaffaCakes118
SHA256 6a52071981858c924d7ef138623368f6736fe09b30099deb3d05ecf33d454262
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6a52071981858c924d7ef138623368f6736fe09b30099deb3d05ecf33d454262

Threat Level: Likely malicious

The file 21114d8c1692a12db2394276106bc665_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Deletes itself

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Runs .reg file with regedit

Kills process with taskkill

Modifies registry class

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 10:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 10:31

Reported

2024-10-08 17:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\OGACheckControl.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\OGACheckControl.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\system32\OGACheckControl.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\system32\OGACheckControl.dll C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedt32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1908 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1908 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1908 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1908 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1908 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1908 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2320 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedt32.exe
PID 2320 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedt32.exe
PID 2320 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedt32.exe
PID 2320 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedt32.exe
PID 2320 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedt32.exe
PID 2320 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedt32.exe
PID 2320 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedt32.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 2760 N/A C:\Windows\SysWOW64\regedt32.exe C:\Windows\SysWOW64\regedit.exe
PID 2320 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\regedt32.exe
PID 2320 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\regedt32.exe
PID 2320 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\regedt32.exe
PID 2320 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\regedt32.exe
PID 2712 wrote to memory of 2900 N/A C:\Windows\system32\regedt32.exe C:\Windows\regedit.exe
PID 2712 wrote to memory of 2900 N/A C:\Windows\system32\regedt32.exe C:\Windows\regedit.exe
PID 2712 wrote to memory of 2900 N/A C:\Windows\system32\regedt32.exe C:\Windows\regedit.exe
PID 2320 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2320 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2320 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2320 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2320 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2320 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2320 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2320 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2320 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Run.cmd" "

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Office\14.0" /s

C:\Windows\SysWOW64\regedt32.exe

C:\Windows\System32\regedt32.exe /s Server.reg

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\regedit.exe" /s Server.reg

C:\Windows\system32\regedt32.exe

C:\Windows\Sysnative\regedt32.exe /s Server.reg

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /s Server.reg

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\System32\rundll32.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\rundll32.exe /deny everyone:F

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Sysnative\rundll32.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\Sysnative\rundll32.exe /deny everyone:F

C:\Windows\SysWOW64\net.exe

net start osppsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start osppsvc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Server.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 2 /nobreak

C:\Windows\SysWOW64\cscript.exe

cscript ospp.vbs /act

C:\Windows\SysWOW64\findstr.exe

findstr /I "<Product activation successful>" Check

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K oc.cmd

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Sysnative\rundll32.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\Sysnative\rundll32.exe /grant everyone:F

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Server.exe

C:\Windows\SysWOW64\cscript.exe

cscript //nologo ospp.vbs /dstatus

C:\Windows\SysWOW64\timeout.exe

timeout /t 30 /nobreak

Network

Country Destination Domain Proto
N/A 127.1.1.1:1688 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.vbs

MD5 caa3eb92c5d0044698cb72ea699f5022
SHA1 19b81006722a84395a9ee1486494a050ddf4dd0f
SHA256 5d9fd4c0364235e54a490a79f482dcc6e61d6ea7092e7dcfd53434df8b11e9d2
SHA512 93960758183eeecbe5fb1cb3b9448b51169444d6e42e1e66427362e430b1622d366f5b9e670487bd4ebefe9d540e74882b4c8847e7cff23374fbc57e1adbdddd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Run.cmd

MD5 256686bd77e39fd73418936c3944f853
SHA1 36316766dddbcd1b7f6ebb25de3b210636942b5e
SHA256 09a39db4871d0fee7c9a38be94889d578cf5b562ede97b7971cee607ee82e2ef
SHA512 df261860a1cca5335cda71676bad4499c322f727c5b613f59a09a3409fd4edccf4a68ccc6b0882fddd063403347411e3d167475e3a038e1b484022c9fe60d3e7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.reg

MD5 91dc95a38d11701bcce847af2833e325
SHA1 6c78dc43ada507c8649177dbbee65c76f408d1a0
SHA256 abbabbd757aab5953be79b4ad2279eabfb7ee09dd7bc88a39cca01452d982ec2
SHA512 cbeba9ceda31cad1cc85d038b854b1c5c0f61e20d1d5f94f3c79ea67d279a30942fbdd32eb5a11f56336301e691b0a64389eacbaf74b4e5204f4c1b12617a116

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oga.dll

MD5 964a4192ffb663b98ec612c69fb7b4bd
SHA1 bb9aec8dda35818a7d7b24ac9751c8c881a64cde
SHA256 69ceb118bcbadb2b828855db26d53bc4cbb3b6c26b482ac9d0d947a3d3045eaf
SHA512 1486237ba86fc01390b4c5cd58bf62795f0ef96f9cce524d1d62b76120700fa96cdd374897753fd847ec7b20019c28486119d667d6b71dd2f7a9e1405f60da68

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

MD5 df4e58adfebda4f96de5d9a8b1a512a5
SHA1 5e6822206d28cee5c23e1f2d8b04d56889b0d10e
SHA256 09296493a8eb232cc7649f6c0449050dc843f4f3fb787e07c81bb4143e7f456f
SHA512 90fd40b273fe942610cca22bb402983e6e69752c4ef26c3aa6ae8f9d3e29733e49b26f014d6428eedc1e80222be2f3f11283342bb665bcec8881336a829c7baa

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ospp.vbs

MD5 572e9a87757ac96c7677fd1b1b113c55
SHA1 9c8b96971997cd2dc0ed14f19dd9bc56d3348c3a
SHA256 008cf05944053116a095ad466561d3fd4be8a7de79e5ada7c5daab492f730465
SHA512 bf670754942cfa839de4a31676a3ba2ac8cd1a00de6f1b70aff995e14a9c489e996e9a019898ec3470a11d02c14ab7a8fe4855a8f028d6b4ea987e51411d7be3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Check

MD5 42daec7a16273b7192656d8cca0f0902
SHA1 85af78750d9e90675a3cbcf5eeb7da7b15fe78d2
SHA256 6e48e36805f4506ab66239c81d0dec43ec9aa17b1029247eae59d6b38daf8efd
SHA512 ee7b0ec8bbdab0416a7b67234a815cedaca6459514040f5069a2b8572622061ebfe980316c3963b3028e69c9045446e31faeef6155fdfa6b1905e335607c7661

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oc.cmd

MD5 31463f7d01ffbe898a1c79b771402091
SHA1 2c56f8f04ccdb50cfa127f38de6805044f3c1fb9
SHA256 9cddb29b8579da034790f872f3e0485a502e66ce02c3121f25565c71cc04d7ba
SHA512 d8dcd043ec9b88b61469755c556d942872af81a75c570c0dab49ee66d1528fcf4d05fcbd8be714e73d33e91645e51291ed3c9336b93927dc1bfe11789fbcb1d1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slerror.xml

MD5 df1ef05879e06c5f09f3e1022f37b5cb
SHA1 23aaac40baec28397bb59cfa584e165062d18506
SHA256 d49adf2dabbbf6aa43ce4e336af4f768207df75302ebf568a94a5350aac988c5
SHA512 78f0d21538483d3bac9d8b409554ac89a98a4943666f0ff88207831ab3e1d264c2efa0ea0e4703375aa15516809353f9b7477561a0a4ffe0b930b3e39f8b7e07

C:\Users\Admin\AppData\Local\Temp\RarSFX0\OSPPRE~1.EXE

MD5 7ffae006610a85317fbb092a2d65d1a9
SHA1 f61f245695232ada51d81671e9918d54d9f35575
SHA256 f10acd6e32bc4d7cc74feb9e84fec18a77aeb2838ebf2aa7e3280ba1c7f3fca2
SHA512 fa163a348c7e557d12b24f212eede900dee416f54557cc6cc1a18c6cf2d4d19e049e4e03000abaada320c80dbabba4a4eb028ace629442ecea8dab0add9ccc9b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\osppc.dll

MD5 1d9c3d7a1f8838e6280fa3f7d1fe4ed8
SHA1 d02a61c9a27c4d619f09dc22cb921e52aca56822
SHA256 0bd922965118d54d1027cdb628fa0dfb7ad1d6df0910c80db3f140c9255101d8
SHA512 b897410cd57fc4de6d2168b5aeafc528814526358245c7d96cbd1dead4fb4950e664bdc38b9628efe98ab0b35c74dc460c90a0bb4293dfd170a2aca41140245e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 10:31

Reported

2024-10-08 17:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21114d8c1692a12db2394276106bc665_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Run.cmd" "

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Office\14.0" /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.vbs

MD5 caa3eb92c5d0044698cb72ea699f5022
SHA1 19b81006722a84395a9ee1486494a050ddf4dd0f
SHA256 5d9fd4c0364235e54a490a79f482dcc6e61d6ea7092e7dcfd53434df8b11e9d2
SHA512 93960758183eeecbe5fb1cb3b9448b51169444d6e42e1e66427362e430b1622d366f5b9e670487bd4ebefe9d540e74882b4c8847e7cff23374fbc57e1adbdddd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Run.cmd

MD5 256686bd77e39fd73418936c3944f853
SHA1 36316766dddbcd1b7f6ebb25de3b210636942b5e
SHA256 09a39db4871d0fee7c9a38be94889d578cf5b562ede97b7971cee607ee82e2ef
SHA512 df261860a1cca5335cda71676bad4499c322f727c5b613f59a09a3409fd4edccf4a68ccc6b0882fddd063403347411e3d167475e3a038e1b484022c9fe60d3e7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slerror.xml

MD5 df1ef05879e06c5f09f3e1022f37b5cb
SHA1 23aaac40baec28397bb59cfa584e165062d18506
SHA256 d49adf2dabbbf6aa43ce4e336af4f768207df75302ebf568a94a5350aac988c5
SHA512 78f0d21538483d3bac9d8b409554ac89a98a4943666f0ff88207831ab3e1d264c2efa0ea0e4703375aa15516809353f9b7477561a0a4ffe0b930b3e39f8b7e07

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.reg

MD5 91dc95a38d11701bcce847af2833e325
SHA1 6c78dc43ada507c8649177dbbee65c76f408d1a0
SHA256 abbabbd757aab5953be79b4ad2279eabfb7ee09dd7bc88a39cca01452d982ec2
SHA512 cbeba9ceda31cad1cc85d038b854b1c5c0f61e20d1d5f94f3c79ea67d279a30942fbdd32eb5a11f56336301e691b0a64389eacbaf74b4e5204f4c1b12617a116

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

MD5 df4e58adfebda4f96de5d9a8b1a512a5
SHA1 5e6822206d28cee5c23e1f2d8b04d56889b0d10e
SHA256 09296493a8eb232cc7649f6c0449050dc843f4f3fb787e07c81bb4143e7f456f
SHA512 90fd40b273fe942610cca22bb402983e6e69752c4ef26c3aa6ae8f9d3e29733e49b26f014d6428eedc1e80222be2f3f11283342bb665bcec8881336a829c7baa

C:\Users\Admin\AppData\Local\Temp\RarSFX0\OSPPRE~1.EXE

MD5 7ffae006610a85317fbb092a2d65d1a9
SHA1 f61f245695232ada51d81671e9918d54d9f35575
SHA256 f10acd6e32bc4d7cc74feb9e84fec18a77aeb2838ebf2aa7e3280ba1c7f3fca2
SHA512 fa163a348c7e557d12b24f212eede900dee416f54557cc6cc1a18c6cf2d4d19e049e4e03000abaada320c80dbabba4a4eb028ace629442ecea8dab0add9ccc9b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\osppc.dll

MD5 1d9c3d7a1f8838e6280fa3f7d1fe4ed8
SHA1 d02a61c9a27c4d619f09dc22cb921e52aca56822
SHA256 0bd922965118d54d1027cdb628fa0dfb7ad1d6df0910c80db3f140c9255101d8
SHA512 b897410cd57fc4de6d2168b5aeafc528814526358245c7d96cbd1dead4fb4950e664bdc38b9628efe98ab0b35c74dc460c90a0bb4293dfd170a2aca41140245e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ospp.vbs

MD5 572e9a87757ac96c7677fd1b1b113c55
SHA1 9c8b96971997cd2dc0ed14f19dd9bc56d3348c3a
SHA256 008cf05944053116a095ad466561d3fd4be8a7de79e5ada7c5daab492f730465
SHA512 bf670754942cfa839de4a31676a3ba2ac8cd1a00de6f1b70aff995e14a9c489e996e9a019898ec3470a11d02c14ab7a8fe4855a8f028d6b4ea987e51411d7be3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oga.dll

MD5 964a4192ffb663b98ec612c69fb7b4bd
SHA1 bb9aec8dda35818a7d7b24ac9751c8c881a64cde
SHA256 69ceb118bcbadb2b828855db26d53bc4cbb3b6c26b482ac9d0d947a3d3045eaf
SHA512 1486237ba86fc01390b4c5cd58bf62795f0ef96f9cce524d1d62b76120700fa96cdd374897753fd847ec7b20019c28486119d667d6b71dd2f7a9e1405f60da68

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oc.cmd

MD5 31463f7d01ffbe898a1c79b771402091
SHA1 2c56f8f04ccdb50cfa127f38de6805044f3c1fb9
SHA256 9cddb29b8579da034790f872f3e0485a502e66ce02c3121f25565c71cc04d7ba
SHA512 d8dcd043ec9b88b61469755c556d942872af81a75c570c0dab49ee66d1528fcf4d05fcbd8be714e73d33e91645e51291ed3c9336b93927dc1bfe11789fbcb1d1