Malware Analysis Report

2024-12-07 14:30

Sample ID 241013-l82yqs1dlb
Target 3f43b9396551277894edec9387907d50_JaffaCakes118
SHA256 6b0a9042919243dbd7e2f81c2ba38f1a5f3dfc5fbbecf9e3d5a0c21244893e62
Tags
defense_evasion discovery evasion exploit ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6b0a9042919243dbd7e2f81c2ba38f1a5f3dfc5fbbecf9e3d5a0c21244893e62

Threat Level: Likely malicious

The file 3f43b9396551277894edec9387907d50_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion exploit ransomware

Modifies boot configuration data using bcdedit

Possible privilege escalation attempt

Drops file in Drivers directory

Modifies file permissions

Executes dropped EXE

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: CmdExeWriteProcessMemorySpam

Kills process with taskkill

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 10:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 10:13

Reported

2024-10-13 10:15

Platform

win7-20241010-en

Max time kernel

104s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\bcdedit.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\DRIVERS\ETC\HOSTS C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\DRIVERS\ETC\HOSTS C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\DRIVERS\ETC\hosts C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\MBR\bootsect.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\slmgr.vbs C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\slmgr.vbs C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\slmgr.vbs C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\slmgr.vbs C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MBR\bootsect.exe C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe N/A
File created C:\Windows\MBR\HOSTS C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe N/A
File created C:\Windows\MBR\sfix.cmd C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\MBR\bootsect.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\MBR\bootsect.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\icacls.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2972 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2972 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1820 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2776 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2776 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2892 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2892 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2892 wrote to memory of 1668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2892 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2892 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1820 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c taskkill /f /im explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

"cmd.exe" /c start /w /min %WINDIR%\MBR\sfix slmgr.vbs x86

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Windows\MBR\sfix slmgr.vbs x86

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs x86"

C:\Windows\system32\find.exe

find "?"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs"

C:\Windows\system32\find.exe

find /i "\syswow64"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.x86"

C:\Windows\system32\find.exe

find "64"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.x86"

C:\Windows\system32\find.exe

find "32"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.x86"

C:\Windows\system32\find.exe

find "86"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /s /b "C:\Windows\winsxs\slmgr.vbs"|find /i "86_microsoft"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" dir /s /b "C:\Windows\winsxs\slmgr.vbs""

C:\Windows\system32\find.exe

find /i "86_microsoft"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\Users\Admin\AppData\Local\Temp\f1449231836.acl"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\SysWOW64\slmgr.vbs"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant *s-1-1-0:f

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SysWOW64" /restore "C:\Users\Admin\AppData\Local\Temp\f1449231836.acl"

C:\Windows\system32\cmd.exe

"cmd.exe" /c start /w /min %WINDIR%\MBR\sfix slmgr.vbs x64

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Windows\MBR\sfix slmgr.vbs x64

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs x64"

C:\Windows\system32\find.exe

find "?"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs"

C:\Windows\system32\find.exe

find /i "\syswow64"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.x64"

C:\Windows\system32\find.exe

find "64"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.x64"

C:\Windows\system32\find.exe

find "32"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo.x64"

C:\Windows\system32\find.exe

find "86"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /s /b "C:\Windows\winsxs\slmgr.vbs"|find /i "64_microsoft"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" dir /s /b "C:\Windows\winsxs\slmgr.vbs""

C:\Windows\system32\find.exe

find /i "64_microsoft"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\slmgr.vbs" /save "C:\Users\Admin\AppData\Local\Temp\f1459026608.acl"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\slmgr.vbs"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\slmgr.vbs" /grant *s-1-1-0:f

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32" /restore "C:\Users\Admin\AppData\Local\Temp\f1459026608.acl"

C:\Windows\system32\cmd.exe

"cmd.exe" /c IF EXIST %WINDIR%\System32\Wat\WatAdminSvc.exe START %WINDIR%\System32\Wat\WatAdminSvc.exe /run

C:\Windows\system32\cmd.exe

"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS*.* ATTRIB +A -H -R -S %WINDIR%\System32\DRIVERS\ETC\HOSTS*.*

C:\Windows\system32\attrib.exe

ATTRIB +A -H -R -S C:\Windows\System32\DRIVERS\ETC\HOSTS*.*

C:\Windows\system32\cmd.exe

"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS.OLD DEL %WINDIR%\System32\DRIVERS\ETC\HOSTS.OLD

C:\Windows\system32\cmd.exe

"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS REN %WINDIR%\System32\DRIVERS\ETC\HOSTS HOSTS.OLD

C:\Windows\system32\cmd.exe

"cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\NUL COPY /Y %WINDIR%\MBR\HOSTS %WINDIR%\System32\DRIVERS\ETC

C:\Windows\system32\cmd.exe

"cmd.exe" /c %WINDIR%\MBR\bootsect.exe /nt60 SYS /mbr /force

C:\Windows\MBR\bootsect.exe

C:\Windows\MBR\bootsect.exe /nt60 SYS /mbr /force

C:\Windows\system32\cmd.exe

"cmd.exe" /c cscript %WINDIR%\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV

C:\Windows\system32\cscript.exe

cscript C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV

C:\Windows\system32\cmd.exe

"cmd.exe" /c %WINDIR%\System32\bcdedit -set testsigning off

C:\Windows\System32\bcdedit.exe

C:\Windows\System32\bcdedit -set testsigning off

C:\Windows\system32\cmd.exe

"cmd.exe" /c rundll32 slc.dll,SLReArmWindows

C:\Windows\system32\rundll32.exe

rundll32 slc.dll,SLReArmWindows

C:\Windows\system32\cmd.exe

"cmd.exe" /c cscript %WINDIR%\System32\slmgr.vbs -rearm

C:\Windows\system32\cscript.exe

cscript C:\Windows\System32\slmgr.vbs -rearm

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\sppcext.dll /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\sppcext.dll /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\sppcomapi.dll /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\sppcomapi.dll /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\sppcommdlg.dll /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\sppcommdlg.dll /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\sppcext.dll /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\sppcext.dll /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\slui.exe /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\slui.exe /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\Wat\npWatWeb.dll /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Wat\npWatWeb.dll /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatUX.exe /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Wat\WatUX.exe /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatWeb.dll /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Wat\WatWeb.dll /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls %WINDIR%\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F

C:\Windows\system32\cmd.exe

"cmd.exe" /c start /wait /min sfc /scannow

C:\Windows\system32\sfc.exe

sfc /scannow

Network

N/A

Files

memory/1820-0-0x000007FEF69EE000-0x000007FEF69EF000-memory.dmp

memory/1820-1-0x0000000000D10000-0x0000000000D78000-memory.dmp

memory/1820-2-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

memory/1820-3-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

memory/1820-4-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

memory/1820-6-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

memory/1820-5-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

memory/1820-10-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

memory/1820-11-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

memory/1820-12-0x000007FEF6730000-0x000007FEF70CD000-memory.dmp

C:\Windows\MBR\sfix.cmd

MD5 0f00bdfa3d784cc57bbd7121ac9a5ac1
SHA1 9df56ad2d3c8798bccaaa906f1ec8acc6c157524
SHA256 7a4cf93010fc72ea41b7a0bad5800aa0d9e575c50b5b7b7816b534abf2a43488
SHA512 6cf135c2ccd570c3f33c58ebd070f74dbf0ac64c355980690cc1babab4bbc66322a1991c08ce9a545000a7ffceeec3999ac34e0b18d97c32e8f0d138838d76a1

C:\Users\Admin\AppData\Local\Temp\f1449231836.acl

MD5 7a3b8ec21ac9956ed258f5b397d281ab
SHA1 63cc8f5ca73640fa5fae2d20e69ce393a07a873d
SHA256 bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683
SHA512 ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c

C:\Windows\SysWOW64\slmgr.vbs

MD5 38482a5013d8ab40df0fb15eae022c57
SHA1 5a4a7f261307721656c11b5cc097cde1cf791073
SHA256 ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8
SHA512 29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

C:\Windows\MBR\HOSTS

MD5 3688374325b992def12793500307566d
SHA1 4bed0823746a2a8577ab08ac8711b79770e48274
SHA256 2d6bdfb341be3a6234b24742377f93aa7c7cfb0d9fd64efa9282c87852e57085
SHA512 59119e66f5945029f8652c5981589d95cace534adc6780ccea736b7e776615caa0b567c14d161271d6066f57d9bab0d4055850162f5a046c0456264b7b9e7508

C:\Windows\MBR\bootsect.exe

MD5 034ab2b9c684d57770e8115426d63278
SHA1 9f5d9c197411b18ccd9c3f9fd6c071cdb6791beb
SHA256 b2d7e45c20489ed7d8b111a2097352af4c3f5d8e3059e000c23273086cd4396e
SHA512 107937198574356ac6512402d4c870605c378eb507442a0b6580a1cfc3b5cef1267f32f8ae3ab702841cc9febf73de9447338b5fdaa2f0cf96443793dfa91c06

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 10:13

Reported

2024-10-13 10:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MBR\bootsect.exe C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe N/A
File created C:\Windows\MBR\HOSTS C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe N/A
File created C:\Windows\MBR\sfix.cmd C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1116-0-0x00007FFC046E5000-0x00007FFC046E6000-memory.dmp

memory/1116-1-0x000000001C3F0000-0x000000001C8BE000-memory.dmp

memory/1116-2-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp

memory/1116-3-0x000000001C8C0000-0x000000001C928000-memory.dmp

memory/1116-4-0x000000001C9D0000-0x000000001CA6C000-memory.dmp

memory/1116-5-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp

memory/1116-6-0x0000000001980000-0x0000000001988000-memory.dmp

memory/1116-7-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp

memory/1116-8-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp

memory/1116-12-0x00007FFC046E5000-0x00007FFC046E6000-memory.dmp

memory/1116-13-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp

memory/1116-14-0x00007FFC04430000-0x00007FFC04DD1000-memory.dmp