Analysis Overview
SHA256
039f49f63a4173ed8451b471eef7fa40a3354fc6353213d59a51936dabfc6760
Threat Level: Likely malicious
The file 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Stops running service(s)
Drops file in Drivers directory
Checks computer location settings
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 12:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 12:25
Reported
2024-10-31 13:21
Platform
win7-20240903-en
Max time kernel
53s
Max time network
53s
Command Line
Signatures
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\windows\system32\drivers\appld.sys | C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe | N/A |
Stops running service(s)
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~1.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~2.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~3.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~4.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{0B82E~1.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~2.BLF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~1.BLF | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe
"C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lc4tilfa51.bat" "
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk\Security" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc\Security" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\riotclient" /f
C:\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe
"C:\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 97
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\system32\sc.exe
sc stop appld
C:\Windows\system32\sc.exe
sc delete appld
C:\Windows\system32\sc.exe
sc create appld binpath= C:\windows\system32\drivers\appld.sys type= kernel start= boot
C:\Windows\System32\shutdown.exe
C:\Windows\System32\shutdown /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 05412.net | udp |
| TH | 103.233.195.176:443 | 05412.net | tcp |
| N/A | 127.0.0.1:49201 | tcp | |
| N/A | 127.0.0.1:49203 | tcp | |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.18.190.73:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe
| MD5 | 8eded2a6dd7097e60abfa7292d3b23c0 |
| SHA1 | 099688e74e257495636c96b34b2d59724c271a8c |
| SHA256 | 1b48f91b77fc85eec79786f908e0eaeff050cdaee49471ee0c2be92e05c972bd |
| SHA512 | 1733b6e583ad92a64ba2a561c7c5b333df2f59b1aec97d7627a9e257acdcb553e9907fe701a4bb094f4b4ec44b04f50f833ccfe11d5dbf171e9fd5fe1db7397d |
C:\Users\Admin\AppData\Local\Temp\lc4tilfa51.bat
| MD5 | ff773fbe0ab771b04b82316c89f20654 |
| SHA1 | d37bcca4ff0d80d5d02d4e5ab942a945edfb0fba |
| SHA256 | f4907982695edaf608648b6e1984a0aea68057d428cbc82ebceba3d3074cfb7b |
| SHA512 | 528dc36c1e03650f57a8cf63e5d3c637290c5c450343065ab2cfc034d60114362953d144115e35956a8a34d2442ebfb4ca2c95943d8dd0f9f0eb58e563c7f313 |
\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe
| MD5 | 060f3da224758a17ba766353dccd4d82 |
| SHA1 | b58ba5133ecb4ed8968733b2207058505fbefdf3 |
| SHA256 | 9ef5644ff3befc763b4ab7b8bf0ba7e8ebda43d98e5e8d753f95fe9cdaec7645 |
| SHA512 | af06364339814b4c9058f3acf2214842e381f988f87b4b694bcb06cb55cf749d76e117ef2fc4a0f80c530d0ef51e6ee3171045d37a260e6456c0f363b41baaa7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 12:25
Reported
2024-10-31 13:15
Platform
win10v2004-20241007-en
Max time kernel
49s
Max time network
62s
Command Line
Signatures
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\windows\system32\drivers\appld.sys | C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gkq2l64hj8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kfd1uqptmt.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gkq2l64hj8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\gkq2l64hj8.exe
"C:\Users\Admin\AppData\Local\Temp\gkq2l64hj8.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b135idns21.bat" "
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk\Security" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc\Security" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\riotclient" /f
C:\Users\Admin\AppData\Local\Temp\kfd1uqptmt.exe
"C:\Users\Admin\AppData\Local\Temp\kfd1uqptmt.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Color 97
C:\Windows\SYSTEM32\sc.exe
sc stop appld
C:\Windows\SYSTEM32\sc.exe
sc delete appld
C:\Windows\SYSTEM32\sc.exe
sc create appld binpath= C:\windows\system32\drivers\appld.sys type= kernel start= boot
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f
C:\Windows\System32\shutdown.exe
C:\Windows\System32\shutdown /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ac855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 05412.net | udp |
| N/A | 127.0.0.1:56269 | tcp | |
| N/A | 127.0.0.1:56271 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| TH | 103.233.195.176:443 | 05412.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.195.233.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.18.190.73:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\gkq2l64hj8.exe
| MD5 | 8eded2a6dd7097e60abfa7292d3b23c0 |
| SHA1 | 099688e74e257495636c96b34b2d59724c271a8c |
| SHA256 | 1b48f91b77fc85eec79786f908e0eaeff050cdaee49471ee0c2be92e05c972bd |
| SHA512 | 1733b6e583ad92a64ba2a561c7c5b333df2f59b1aec97d7627a9e257acdcb553e9907fe701a4bb094f4b4ec44b04f50f833ccfe11d5dbf171e9fd5fe1db7397d |
C:\Users\Admin\AppData\Local\Temp\b135idns21.bat
| MD5 | ff773fbe0ab771b04b82316c89f20654 |
| SHA1 | d37bcca4ff0d80d5d02d4e5ab942a945edfb0fba |
| SHA256 | f4907982695edaf608648b6e1984a0aea68057d428cbc82ebceba3d3074cfb7b |
| SHA512 | 528dc36c1e03650f57a8cf63e5d3c637290c5c450343065ab2cfc034d60114362953d144115e35956a8a34d2442ebfb4ca2c95943d8dd0f9f0eb58e563c7f313 |
C:\Users\Admin\AppData\Local\Temp\kfd1uqptmt.exe
| MD5 | 060f3da224758a17ba766353dccd4d82 |
| SHA1 | b58ba5133ecb4ed8968733b2207058505fbefdf3 |
| SHA256 | 9ef5644ff3befc763b4ab7b8bf0ba7e8ebda43d98e5e8d753f95fe9cdaec7645 |
| SHA512 | af06364339814b4c9058f3acf2214842e381f988f87b4b694bcb06cb55cf749d76e117ef2fc4a0f80c530d0ef51e6ee3171045d37a260e6456c0f363b41baaa7 |