Analysis Overview
SHA256
01c056f5e5edfbbbe2c50821e8a7a896ee17564fb22b049dafbc9721428db21b
Threat Level: Shows suspicious behavior
The file 7f5619ee409bbc33becff5007b00fa69_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Deletes itself
Indicator Removal: File Deletion
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 13:16
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 13:16
Reported
2024-10-30 13:19
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\201476D0.dll | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts\9meS3cnFuuhyTu6M.ttf | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32\ = "C:\\Windows\\SysWow64\\201476D0.dll" | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B} | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1480 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1480 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1480 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7F5619~1.EXE >> NUL
Network
Files
memory/1480-0-0x0000000000400000-0x0000000000409000-memory.dmp
\Windows\SysWOW64\201476D0.dll
| MD5 | 673e5814021765bdbf91c60d72b78e00 |
| SHA1 | fc02d12d3fe687fcf65cedb4fb1536e40e36c19d |
| SHA256 | 6b4f107de3e4aebf34381d237f2d35bfeef7568147f1d7d33a8ad256abd594c7 |
| SHA512 | e4c4c7774d891d48dc625fc57f81c94ad503192a416d43e62b8f5b7ad866796c5b2e7619e7a6522274ff3a09d18b5988a84771773004c48855b330c6cf533c08 |
memory/1480-6-0x0000000010000000-0x000000001000E000-memory.dmp
memory/1480-7-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1480-9-0x0000000010000000-0x000000001000E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 13:16
Reported
2024-10-30 13:19
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\201476D0.dll | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts\9meS3cnFuuhyTu6M.ttf | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLsID | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B} | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32\ = "C:\\Windows\\SysWow64\\201476D0.dll" | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{201476D0-2B18-462E-AB9F-3E2B0CC8732B}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4432 wrote to memory of 448 | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4432 wrote to memory of 448 | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4432 wrote to memory of 448 | N/A | C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f5619ee409bbc33becff5007b00fa69_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7F5619~1.EXE >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4432-0-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Windows\SysWOW64\201476D0.dll
| MD5 | 673e5814021765bdbf91c60d72b78e00 |
| SHA1 | fc02d12d3fe687fcf65cedb4fb1536e40e36c19d |
| SHA256 | 6b4f107de3e4aebf34381d237f2d35bfeef7568147f1d7d33a8ad256abd594c7 |
| SHA512 | e4c4c7774d891d48dc625fc57f81c94ad503192a416d43e62b8f5b7ad866796c5b2e7619e7a6522274ff3a09d18b5988a84771773004c48855b330c6cf533c08 |
memory/4432-7-0x0000000010000000-0x000000001000E000-memory.dmp
memory/4432-11-0x0000000010000000-0x000000001000E000-memory.dmp
memory/4432-10-0x0000000000400000-0x0000000000409000-memory.dmp