Analysis Overview
SHA256
f8fcdb7600d274e4bfbcc4cea1a3484b917956f343fd05c5a3488b5d72dbef8e
Threat Level: Known bad
The file 4f112f651b8025db019ae8089a8d591a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessOtherParentProcess
Detected Nirsoft tools
Executes dropped EXE
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Runs regedit.exe
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 21:15
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 21:15
Reported
2024-10-16 21:18
Platform
win7-20240708-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Suspicious use of NtCreateProcessOtherParentProcess
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\RkRealTech.exe | N/A |
| N/A | N/A | C:\Windows\RkRealTech.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
| N/A | N/A | C:\Windows\RtkSYUdp.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini | C:\Windows\RtkSYUdp.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\RtkSYUdp.exe | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\RkRealTech.exe | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\RtkSYUdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | \Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe"
C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
C:\Windows\RkRealTech.exe
C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1208 C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
C:\Windows\RkRealTech.exe
C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1208 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
C:\Windows\RtkSYUdp.exe
C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
\Windows\SysWOW64\regedit.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ttver.com | udp |
| US | 172.65.190.172:80 | www.ttver.com | tcp |
| US | 8.8.8.8:53 | file-sg.gname.net | udp |
| US | 104.18.33.5:443 | file-sg.gname.net | tcp |
| US | 104.18.33.5:443 | file-sg.gname.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.23.205.233:80 | www.microsoft.com | tcp |
Files
memory/2292-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2292-0-0x0000000000400000-0x00000000004B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
| MD5 | 185038ec1cc9a69a109726c8989e4cf5 |
| SHA1 | bfb62037297e8533e5f3940a32fb9505acf4fe26 |
| SHA256 | 48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727 |
| SHA512 | bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391 |
C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
| MD5 | cb350b29233b3440633123bb77692140 |
| SHA1 | 52793f1ba4c7925d41c6e79a109080c3d12b69e6 |
| SHA256 | 7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3 |
| SHA512 | 0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8 |
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
| MD5 | 0cf180f20e716094bef34db0f1a39a04 |
| SHA1 | f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b |
| SHA256 | 2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26 |
| SHA512 | a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b |
C:\Windows\RkRealTech.exe
| MD5 | 3350569bad492f3cf54e6da064a7d5cc |
| SHA1 | 7ec1de0bdccc409d2193d9827128580e9d53e458 |
| SHA256 | ba48989d9c5fb3320ded14ab48a372950948c0ba136893e564e3fe0fb3ce7d95 |
| SHA512 | 044187e1e6ac4740689faca5e4f70ad274711f8610a60dcb01c711e5727892da994e458a79d2a6ae80ac1042367cb081553ab83c142f48d4f99996d288ac909b |
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
| MD5 | 5ed245d923fd9fa2d236979980bf54e6 |
| SHA1 | 0c8939062da21c2db98575ad1e5fb03d7fa4ab28 |
| SHA256 | 84d64538b8d83661d0e985a5bdb6c498264fc225e95b38ef34c1d5b43ac415f9 |
| SHA512 | 2e2b5ab76bc8a3c2c6a03a9b68e68e284042e495421d179548c1622e221d303987c884a44b0da50a2573ec8e4a38fda990c307c3950a60d221f1387d00cc5b65 |
C:\Windows\RtkSYUdp.exe
| MD5 | d0cd586c5c857850a188e778b971f25a |
| SHA1 | 3f584fd89e41151c389b4701d876d2bdd2885fc2 |
| SHA256 | 2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb |
| SHA512 | 995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c |
memory/1852-49-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1852-50-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2460-52-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2276-55-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2292-58-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2292-63-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1324-77-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\Window Switcher.lnk
| MD5 | fcd6bcb56c1689fcef28b57c22475bad |
| SHA1 | 1adc95bebe9eea8c112d40cd04ab7a8d75c4f961 |
| SHA256 | de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31 |
| SHA512 | 73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2 |
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp
| MD5 | a6fad63d53a0f242688753be4a791373 |
| SHA1 | b56bf60bd88e783403c46e29b9344e2eb6967dc3 |
| SHA256 | 0eef1845b0b62106594ac8180950e47b8c801851bb3a67bdd0072f63302752d2 |
| SHA512 | 4a8b2b67c665a73f3636956aea32f662e8cb61dd262ee1d6c5327a39385239413a6dac183380af1bbfa65f8ee6db49619447bfc379f49c0f6eb2655fc5ef9738 |
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
| MD5 | a1132bccc90603d0d1e299920dd5ca20 |
| SHA1 | 46ab3b8e23816d2dc0de5fb3297b017d5b9a51aa |
| SHA256 | 95d5a933f8eac6102ad16bbe4db6f64f55cbf8abdf09d0a55e5cb34be78ed5d6 |
| SHA512 | 3b35223c5dd11d000c9a757dc3f8f9f36afffb49fc44faea410dd9bff4f44dc0150a38202146a5b399fd18d7f7f8bf8bcba1821dc41a79927814f93501db1a29 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 21:15
Reported
2024-10-16 21:18
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\RkRealTech.exe | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\RtkSYUdp.exe | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\internet explorer\version Vector | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe"
C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ttver.com | udp |
| US | 172.65.190.172:80 | www.ttver.com | tcp |
| US | 8.8.8.8:53 | file-sg.gname.net | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.190.65.172.in-addr.arpa | udp |
| US | 172.64.154.251:443 | file-sg.gname.net | tcp |
| US | 172.64.154.251:443 | file-sg.gname.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.154.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3756-0-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/3756-1-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
| MD5 | 185038ec1cc9a69a109726c8989e4cf5 |
| SHA1 | bfb62037297e8533e5f3940a32fb9505acf4fe26 |
| SHA256 | 48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727 |
| SHA512 | bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391 |
C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
| MD5 | cb350b29233b3440633123bb77692140 |
| SHA1 | 52793f1ba4c7925d41c6e79a109080c3d12b69e6 |
| SHA256 | 7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3 |
| SHA512 | 0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8 |
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
| MD5 | a4b0f71a1e52723101551d3156b79ac0 |
| SHA1 | 9cce4c28c25c271ecb3b1d7f9eb428e22c459f1e |
| SHA256 | 61e658319b6e6c4be1bb8e70e5457505d590cfc7530aaa02675b19c31a1fcc5f |
| SHA512 | c72cc0d703889e9c4234eded766afa4141b789d268d02e683948f496c4bba8fdbb724a9ae52819bce0909d94d07087c44d1e15ba734c9e5f208334ee7b0d49d3 |
memory/3756-31-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/3756-33-0x0000000000AC0000-0x0000000000AC1000-memory.dmp