Analysis Overview
SHA256
81043d92ed7cbbb062c61a78e1ccd3d9a038f9d26a4527ae575832f2f9b56a09
Threat Level: Known bad
The file 839f5ff107b46c8b78d477f1439cdf39_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
LatentBot
Latentbot family
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 19:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 19:07
Reported
2024-10-31 19:11
Platform
win7-20240903-en
Max time kernel
148s
Max time network
130s
Command Line
Signatures
LatentBot
Latentbot family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HIC7P.tmp\is-58164.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HIC7P.tmp\is-58164.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HIC7P.tmp\is-58164.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\839f5ff107b46c8b78d477f1439cdf39_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-HIC7P.tmp\is-58164.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\839f5ff107b46c8b78d477f1439cdf39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\839f5ff107b46c8b78d477f1439cdf39_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 676
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE
C:\Users\Admin\AppData\Local\Temp\is-HIC7P.tmp\is-58164.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HIC7P.tmp\is-58164.tmp" /SL4 $60152 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE" 2732289 52224
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lovelybones.zapto.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE
| MD5 | 53e20136fde828389300216192e06590 |
| SHA1 | 95bfd1348116ead9b952e19372c4107a08b8582d |
| SHA256 | 7149a4adcbbda8dc77124811e8dfa001d15f5405db6fd67a6dea8bd43abccbae |
| SHA512 | 83509f1f323ef28918193e6087864ca2199219c682f08dd8be6be0becb4ec24796761cba31d0c6590b543246597c6f3b97de30e4bf8ee5cdaabee5fbca264661 |
memory/1884-11-0x0000000074012000-0x0000000074014000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE
| MD5 | fa770683d20f1900d9c9ea170519d524 |
| SHA1 | 614ba24b671c7c0efd3614874f6fed8f6cb8cdcc |
| SHA256 | 292fa280d62a9a8b7f6dbcbf925bee608328bed641377dc8803ad54c4315a10e |
| SHA512 | b31a1246017e421c4fcbb170fc8979f6da742d06dc706a759489508e50e36427e0293fd8baa7508515a943fa1618fad905994bd0a9ea920d5a4141b0778372f1 |
memory/2372-20-0x0000000000400000-0x0000000000413000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-HIC7P.tmp\is-58164.tmp
| MD5 | 3c9f925549a51f9017e08a072332fa47 |
| SHA1 | 1bff860e744467a58ef986b1016a4454844f5ad7 |
| SHA256 | 1eb6ba689a47d91d01c9b3caa93daacec49c7b6daafb217678b9ad8f545c8ac2 |
| SHA512 | 86112ec0d9f4254bceb0a576bc03e09384a15a4a5e94b08ca65ddfbc60d9d8d459885138c2644c9309ac86bca0b86d41c92dbc8ed23d7d381cdbeb2d7963ec18 |
\Users\Admin\AppData\Local\Temp\is-7ME5H.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2372-34-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2884-35-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-37-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-39-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-41-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-43-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-45-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-47-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-49-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-51-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-53-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-55-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-57-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-59-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2884-61-0x0000000000400000-0x00000000004CF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 19:07
Reported
2024-10-31 19:10
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
LatentBot
Latentbot family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4G3UL.tmp\is-LE4TO.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\839f5ff107b46c8b78d477f1439cdf39_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-4G3UL.tmp\is-LE4TO.tmp | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\839f5ff107b46c8b78d477f1439cdf39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\839f5ff107b46c8b78d477f1439cdf39_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1052
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE
C:\Users\Admin\AppData\Local\Temp\is-4G3UL.tmp\is-LE4TO.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4G3UL.tmp\is-LE4TO.tmp" /SL4 $50092 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE" 2732289 52224
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lovelybones.zapto.org | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UPDATE~1.EXE
| MD5 | 53e20136fde828389300216192e06590 |
| SHA1 | 95bfd1348116ead9b952e19372c4107a08b8582d |
| SHA256 | 7149a4adcbbda8dc77124811e8dfa001d15f5405db6fd67a6dea8bd43abccbae |
| SHA512 | 83509f1f323ef28918193e6087864ca2199219c682f08dd8be6be0becb4ec24796761cba31d0c6590b543246597c6f3b97de30e4bf8ee5cdaabee5fbca264661 |
memory/2140-7-0x0000000074872000-0x0000000074873000-memory.dmp
memory/2140-8-0x0000000074870000-0x0000000074E21000-memory.dmp
memory/2140-9-0x0000000074870000-0x0000000074E21000-memory.dmp
memory/2140-16-0x0000000074870000-0x0000000074E21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FAST_A~1.EXE
| MD5 | fa770683d20f1900d9c9ea170519d524 |
| SHA1 | 614ba24b671c7c0efd3614874f6fed8f6cb8cdcc |
| SHA256 | 292fa280d62a9a8b7f6dbcbf925bee608328bed641377dc8803ad54c4315a10e |
| SHA512 | b31a1246017e421c4fcbb170fc8979f6da742d06dc706a759489508e50e36427e0293fd8baa7508515a943fa1618fad905994bd0a9ea920d5a4141b0778372f1 |
memory/4392-20-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4392-22-0x0000000000401000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4G3UL.tmp\is-LE4TO.tmp
| MD5 | 3c9f925549a51f9017e08a072332fa47 |
| SHA1 | 1bff860e744467a58ef986b1016a4454844f5ad7 |
| SHA256 | 1eb6ba689a47d91d01c9b3caa93daacec49c7b6daafb217678b9ad8f545c8ac2 |
| SHA512 | 86112ec0d9f4254bceb0a576bc03e09384a15a4a5e94b08ca65ddfbc60d9d8d459885138c2644c9309ac86bca0b86d41c92dbc8ed23d7d381cdbeb2d7963ec18 |
memory/4392-31-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2932-32-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-34-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-36-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-38-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-40-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-42-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-44-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-46-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-48-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-50-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-52-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-54-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-56-0x0000000000400000-0x00000000004CF000-memory.dmp
memory/2932-58-0x0000000000400000-0x00000000004CF000-memory.dmp