Malware Analysis Report

2025-01-22 23:08

Sample ID 241228-2as6yatncl
Target 2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff
SHA256 b1a450ab3ca2b38605981891257e7d37090c5578e71e046411a45c479c234264
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1a450ab3ca2b38605981891257e7d37090c5578e71e046411a45c479c234264

Threat Level: Known bad

The file 2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (118) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (191) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-28 22:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-28 22:23

Reported

2024-12-28 22:25

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Renames multiple (118) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Scriptlet.Constructor" C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Constructor that allows hosts better control creating scriptlets" C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll" C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe"

Network

N/A

Files

memory/2436-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2436-1-0x0000000002FB0000-0x00000000031BC000-memory.dmp

memory/2436-8-0x0000000002FB0000-0x00000000031BC000-memory.dmp

memory/2436-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2436-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2436-13-0x0000000002FB0000-0x00000000031BC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 6835c19e5c3a4020bf7651e0c9943320
SHA1 fcd69c7f3f1ab6425cfd2d2798b7a6e58dba9f4d
SHA256 a85ce746850b884c840c58b50b94d662a93034b87febf7a39daa5d81f6a176c7
SHA512 a299600f0d158daabd98c589ebff3766e6bfa7d1bba798f2466c651a9c0d02bceb540e63b3cff2133e0a28b7eb46f6d39ee7205a5990282c50281bde67c78180

memory/2436-20-0x0000000002FB0000-0x00000000031BC000-memory.dmp

memory/2436-19-0x0000000002FB0000-0x00000000031BC000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 34cc7ffb0ca3f8b33fdab467ad358ed4
SHA1 584d0c1b52e3a14ccaabcf772eacbfb1bbcc8838
SHA256 086f03fa5e04b4b026076d306dd9782aa4c10e97be1c92f24816b23418bdc227
SHA512 f12b0d71f8d7d121bf93bee8ac07abfc0698c1b5ecd668b24a6c63964b7fa9b6daaf2e2f240d03667c7aa531b6b59713711a8c9bce750dd95e6317f7ef9f7e66

memory/2436-27-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2436-31-0x0000000002FB0000-0x00000000031BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-28 22:23

Reported

2024-12-28 22:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Renames multiple (191) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Containers C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecsext.dll" C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe

"C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/3584-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3584-2-0x0000000004390000-0x000000000459C000-memory.dmp

memory/3584-9-0x0000000004390000-0x000000000459C000-memory.dmp

memory/3584-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3584-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3584-14-0x0000000004390000-0x000000000459C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 21a009df87dcfdbdcd33dc874709c18b
SHA1 09f8f04940544d76fac4bf9b1df5d712416c2d8c
SHA256 f6f4d7c7de902c70fd0a93ed498b3b9e87fcb672af581d476bad42fff9c6ffbb
SHA512 f59141a5540b11e9f87637501d4243145ffeed4844195e105b5fe16101f1c00aeeaffcef56e53bf0d8353c77a33d1ed1b632c65793fdb41edc145d5c49e6d259

memory/3584-20-0x0000000004390000-0x000000000459C000-memory.dmp

memory/3584-21-0x0000000004390000-0x000000000459C000-memory.dmp

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 fd1e4fe86d8ff35d3a59c7f50f08ddb1
SHA1 c0bd02e468e413efe9029464deb0f70f733c7891
SHA256 ba98c8e03cea3bdeac979d9150771c7e424dc74a1c8a8fc9ca890f4be35d325e
SHA512 a40285d3630812fe07722697d22144e489eb33b5caae657096fcef7fb54ca5aee7330f6b3a2c4cc76b68c44eb15842e88187c4dc78d3edc8ef047178d20aa920

memory/3584-34-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3584-38-0x0000000004390000-0x000000000459C000-memory.dmp