Analysis Overview
SHA256
8bd7d725ea0970a70e444fc5963b093a0d1e0e5d8aa433f23a1ca1267bdc7efc
Threat Level: Known bad
The file f744f2400e280cbfa73e9d38204228c0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Drops startup file
Checks BIOS information in registry
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
NTFS ADS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-16 04:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-16 04:19
Reported
2024-12-16 04:22
Platform
win7-20240903-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5} | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ = "DAO.Index.36" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ = "%CommonProgramFiles(x86)%\\Microsoft Shared\\DAO\\dao360.dll" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Class = "dao.IndexClass" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID\ = "DAO.Index.36" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\TEMP:B81F2E31 | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:B81F2E31 | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | denge.batcave.net | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/2092-8-0x00000000028F0000-0x0000000002AFC000-memory.dmp
memory/2092-7-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-0-0x00000000028F0000-0x0000000002AFC000-memory.dmp
memory/2092-19-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-20-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-23-0x00000000028F0000-0x0000000002AFC000-memory.dmp
memory/2092-27-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2092-21-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-18-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-17-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-15-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-22-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-28-0x00000000028F0000-0x0000000002AFC000-memory.dmp
memory/2092-29-0x00000000028F0000-0x0000000002AFC000-memory.dmp
memory/2092-30-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-32-0x00000000028F0000-0x0000000002AFC000-memory.dmp
memory/2092-35-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/2092-46-0x0000000000400000-0x0000000000A74000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-16 04:19
Reported
2024-12-16 04:22
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5} | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\Class = "dao.IndexClass" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ProgID\ = "DAO.Index.36" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\ = "DAO.Index.36" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED640E68-39DA-B062-9E29-42B19965EFB5}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll" | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\TEMP:B81F2E31 | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:B81F2E31 | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f744f2400e280cbfa73e9d38204228c0_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | denge.batcave.net | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| US | 8.8.8.8:53 | 61.43.176.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
| BG | 185.176.43.61:80 | denge.batcave.net | tcp |
| US | 8.8.8.8:53 | dayriyzyith.comeze.com | udp |
Files
memory/3164-0-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-2-0x0000000002C60000-0x0000000002E6C000-memory.dmp
memory/3164-9-0x0000000002C60000-0x0000000002E6C000-memory.dmp
memory/3164-16-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-19-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-17-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-20-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-21-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-22-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-23-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-24-0x0000000002C60000-0x0000000002E6C000-memory.dmp
memory/3164-28-0x0000000002C60000-0x0000000002E6C000-memory.dmp
memory/3164-31-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-32-0x0000000002C60000-0x0000000002E6C000-memory.dmp
memory/3164-35-0x0000000000400000-0x0000000000A74000-memory.dmp
memory/3164-42-0x0000000000400000-0x0000000000A74000-memory.dmp