Analysis Overview
SHA256
b5f3f9c38941a80a482fec7f66183828add12d9115c824b78c89ffbaae951996
Threat Level: Shows suspicious behavior
The file 503b154050ce76040ccb90509af08ded_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Writes to the Master Boot Record (MBR)
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 01:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 01:54
Reported
2024-10-17 01:55
Platform
win7-20240903-en
Max time kernel
3s
Max time network
8s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe
"C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe"
C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2332-0-0x0000000000400000-0x00000000004AA000-memory.dmp
\Users\Admin\AppData\Local\Temp\mbr-locker.exe
| MD5 | f907909c1e30c3e839096e7d4d090b2c |
| SHA1 | 0a99db4e4374dadbfb22610e826e68d3aa3fc376 |
| SHA256 | f31e5d50d7af3d92ce22acf0170943e2d825de609043ffbb8a7dd81c40a9fa9d |
| SHA512 | 583481e0f239587cd39c14fc4496137ffb8fdd58d8b7f37eb0fc6c720faf770aa6f9b6f1ba323e916536ff7f4594379004de3462150da973e9155b36cb65598f |
memory/2332-6-0x000000002AA00000-0x000000002AA47000-memory.dmp
memory/2148-14-0x000000002AA00000-0x000000002AA47000-memory.dmp
memory/2332-12-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\systm.txt
| MD5 | 55a6c5e8b47dc0777cf286fa1b3970d2 |
| SHA1 | c6b51d0028b78e0a5bb019285b14e3d25478632a |
| SHA256 | 5389ea291b867e7beed8516a9d534fdd91bfc3802512d5bd4b7823b702ba130c |
| SHA512 | d5bc859ce5592a48ac708810d7240df448c860c97f98819b4cb45cd661365946ed31553a0c017e3dd1540915b98291561e184b273f7880ff112b6fad62846782 |
memory/2148-24-0x000000002AA00000-0x000000002AA47000-memory.dmp
memory/2912-27-0x0000000002D90000-0x0000000002D91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 01:54
Reported
2024-10-17 01:54
Platform
win10v2004-20241007-en
Max time kernel
4s
Max time network
6s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3548 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe |
| PID 3548 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe |
| PID 3548 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe |
| PID 5004 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
| PID 5004 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
| PID 5004 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\503b154050ce76040ccb90509af08ded_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe
"C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe"
C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3980855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
Files
memory/3548-0-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mbr-locker.exe
| MD5 | f907909c1e30c3e839096e7d4d090b2c |
| SHA1 | 0a99db4e4374dadbfb22610e826e68d3aa3fc376 |
| SHA256 | f31e5d50d7af3d92ce22acf0170943e2d825de609043ffbb8a7dd81c40a9fa9d |
| SHA512 | 583481e0f239587cd39c14fc4496137ffb8fdd58d8b7f37eb0fc6c720faf770aa6f9b6f1ba323e916536ff7f4594379004de3462150da973e9155b36cb65598f |
memory/5004-9-0x000000002AA00000-0x000000002AA47000-memory.dmp
memory/3548-10-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\systm.txt
| MD5 | 55a6c5e8b47dc0777cf286fa1b3970d2 |
| SHA1 | c6b51d0028b78e0a5bb019285b14e3d25478632a |
| SHA256 | 5389ea291b867e7beed8516a9d534fdd91bfc3802512d5bd4b7823b702ba130c |
| SHA512 | d5bc859ce5592a48ac708810d7240df448c860c97f98819b4cb45cd661365946ed31553a0c017e3dd1540915b98291561e184b273f7880ff112b6fad62846782 |
memory/5004-18-0x000000002AA00000-0x000000002AA47000-memory.dmp