Analysis Overview
SHA256
b1a450ab3ca2b38605981891257e7d37090c5578e71e046411a45c479c234264
Threat Level: Known bad
The file 2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (118) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (191) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-28 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-28 22:23
Reported
2024-12-28 22:25
Platform
win7-20240903-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Renames multiple (118) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Scriptlet.Constructor" | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Constructor that allows hosts better control creating scriptlets" | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll" | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe"
Network
Files
memory/2436-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2436-1-0x0000000002FB0000-0x00000000031BC000-memory.dmp
memory/2436-8-0x0000000002FB0000-0x00000000031BC000-memory.dmp
memory/2436-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2436-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2436-13-0x0000000002FB0000-0x00000000031BC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp
| MD5 | 6835c19e5c3a4020bf7651e0c9943320 |
| SHA1 | fcd69c7f3f1ab6425cfd2d2798b7a6e58dba9f4d |
| SHA256 | a85ce746850b884c840c58b50b94d662a93034b87febf7a39daa5d81f6a176c7 |
| SHA512 | a299600f0d158daabd98c589ebff3766e6bfa7d1bba798f2466c651a9c0d02bceb540e63b3cff2133e0a28b7eb46f6d39ee7205a5990282c50281bde67c78180 |
memory/2436-20-0x0000000002FB0000-0x00000000031BC000-memory.dmp
memory/2436-19-0x0000000002FB0000-0x00000000031BC000-memory.dmp
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 34cc7ffb0ca3f8b33fdab467ad358ed4 |
| SHA1 | 584d0c1b52e3a14ccaabcf772eacbfb1bbcc8838 |
| SHA256 | 086f03fa5e04b4b026076d306dd9782aa4c10e97be1c92f24816b23418bdc227 |
| SHA512 | f12b0d71f8d7d121bf93bee8ac07abfc0698c1b5ecd668b24a6c63964b7fa9b6daaf2e2f240d03667c7aa531b6b59713711a8c9bce750dd95e6317f7ef9f7e66 |
memory/2436-27-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2436-31-0x0000000002FB0000-0x00000000031BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-28 22:23
Reported
2024-12-28 22:25
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Renames multiple (191) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Containers | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecsext.dll" | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_6d9e95ccd5039f49bcc88ea5379b4a29_hijackloader_jaff.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/3584-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3584-2-0x0000000004390000-0x000000000459C000-memory.dmp
memory/3584-9-0x0000000004390000-0x000000000459C000-memory.dmp
memory/3584-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3584-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3584-14-0x0000000004390000-0x000000000459C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp
| MD5 | 21a009df87dcfdbdcd33dc874709c18b |
| SHA1 | 09f8f04940544d76fac4bf9b1df5d712416c2d8c |
| SHA256 | f6f4d7c7de902c70fd0a93ed498b3b9e87fcb672af581d476bad42fff9c6ffbb |
| SHA512 | f59141a5540b11e9f87637501d4243145ffeed4844195e105b5fe16101f1c00aeeaffcef56e53bf0d8353c77a33d1ed1b632c65793fdb41edc145d5c49e6d259 |
memory/3584-20-0x0000000004390000-0x000000000459C000-memory.dmp
memory/3584-21-0x0000000004390000-0x000000000459C000-memory.dmp
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | fd1e4fe86d8ff35d3a59c7f50f08ddb1 |
| SHA1 | c0bd02e468e413efe9029464deb0f70f733c7891 |
| SHA256 | ba98c8e03cea3bdeac979d9150771c7e424dc74a1c8a8fc9ca890f4be35d325e |
| SHA512 | a40285d3630812fe07722697d22144e489eb33b5caae657096fcef7fb54ca5aee7330f6b3a2c4cc76b68c44eb15842e88187c4dc78d3edc8ef047178d20aa920 |
memory/3584-34-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3584-38-0x0000000004390000-0x000000000459C000-memory.dmp