Analysis Overview
SHA256
648cd5aa61222565eb922abfdb582f276601fb5515594a2e0a8a81f670e62346
Threat Level: Shows suspicious behavior
The file JaffaCakes118_4375ccd5831118c67cc584ac6cddb136 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:35
Reported
2025-01-27 20:38
Platform
win7-20240729-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\nstF01D.tmp | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C}\AutoConvertTo\ = "{00020803-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C} | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BC4A941-A15B-D262-187E-AECD50DA760C}\AutoConvertTo | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\\setup.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~EFED.cmd
C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp
C:\Users\Admin\AppData\Local\Temp\~EFEC.tmp checknewversion 27012550183fa /B
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.widestep.com | udp |
| US | 76.223.54.146:80 | www.widestep.com | tcp |
Files
memory/2204-0-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 2e402be8220c5142fd1db6ac3221bdb2 |
| SHA1 | 823f4938545750c5315d8680a3486062a32e8225 |
| SHA256 | 397cb7c5f9633c95da1876e08764fa586dd38348386509029e1a128c2c661996 |
| SHA512 | 0a2b61f7da610ae4f9420f11884aadc6c97d7bfe46c306a06ecc038fec28ca2143296de2ec788dafdcfd2e208b21b229e037d61cba4f63fb8e350414abfa67b7 |
memory/2204-6-0x0000000003A30000-0x00000000045AA000-memory.dmp
memory/1960-10-0x0000000000400000-0x0000000000F7A000-memory.dmp
memory/1960-14-0x0000000000360000-0x00000000003AD000-memory.dmp
memory/1960-19-0x0000000000400000-0x0000000000F7A000-memory.dmp
memory/1960-20-0x00000000016C0000-0x000000000223A000-memory.dmp
memory/1960-25-0x00000000016C0000-0x000000000223A000-memory.dmp
memory/1960-24-0x0000000000360000-0x00000000003AD000-memory.dmp
memory/1960-22-0x0000000000400000-0x0000000000F7A000-memory.dmp
memory/1960-21-0x00000000016C0000-0x000000000223A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
memory/1960-48-0x0000000003D50000-0x0000000003E82000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/1960-59-0x0000000003D50000-0x0000000003E82000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\access40.dll
| MD5 | 03d7001fd3a1c48bd61e7da9928cd36d |
| SHA1 | 5c8418aa6259469bd0b36f3ab3dc5ef3f901dfa9 |
| SHA256 | d3965b42b5256a9ee000034ebaee39c7972510dc203ddacd6301bc776c4ae4a7 |
| SHA512 | dfc944d9683151a4ad31b3b5fbe231354c5194d3a0f1bcd12a71da82269a9810fc91346ef2a3770813d79b66851e757c4647baebee5eb69f7c9b829e82669c12 |
memory/1960-61-0x0000000003F90000-0x00000000040B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~EFED.cmd
| MD5 | f23d7dba35e84b4f45a4098c6275118c |
| SHA1 | 3cadc6cdf93b166d3a8196e6ebd633b19ea900c4 |
| SHA256 | ed6611e14f7a5e7bba8a47488ff6c8725fd6da7fb2ecac9e1b753a18ad73da60 |
| SHA512 | 92d96168aaae8aded2571db771338b663d9e9116adcffa99d85951cb8c64946eaa8f431d6bdb04d0fc9b166b9c74e9319ea12d77f790344cc4e754eedf61c370 |
\Windows\SysWOW64\nstF01D.tmp
| MD5 | c3fb03ae11e469074820d70ed8ab17eb |
| SHA1 | 7bf4db632861dab3253e24d1992c1986be89ac41 |
| SHA256 | 3802a2b5ea0279094090457e7926b3e0fcdabec974dc918a7d6cd2c1baa33aa6 |
| SHA512 | 9ae1ba3b3bd8c50b236d277889955359cb2de1f9fb48f709793df9e9e99fc338271eafedd4a0b06da36aea8e4ddf817ded33e75dc6665ba008c284e3cf03ce26 |
\Users\Admin\AppData\Local\Temp\~EFEC.tmp
| MD5 | 345171d2a2660b7cd4b8cdd978eda569 |
| SHA1 | 516276cfe91c90458cc0f98a09cfaa841494d702 |
| SHA256 | c0b239bb834ad52cd1eb5f50d9cef83682e05f7d3fd3c3f5a1c8f106eadcb70b |
| SHA512 | 75e372de5494e487cfe57ae98c71576b18309e4b9e6988609c541c67a5ad91ea034ffba61fa281ed530cc60d07a163a5defd731f748164913e77f42ff77d3118 |
memory/2756-68-0x0000000002070000-0x000000000220B000-memory.dmp
memory/2604-72-0x0000000000400000-0x000000000059B000-memory.dmp
memory/2756-70-0x0000000002070000-0x000000000220B000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
memory/2204-90-0x0000000000400000-0x000000000121B000-memory.dmp
memory/1960-91-0x0000000000360000-0x00000000003AD000-memory.dmp
memory/1960-23-0x0000000000400000-0x0000000000F7A000-memory.dmp
memory/1960-94-0x00000000016C0000-0x000000000223A000-memory.dmp
memory/1960-93-0x0000000000400000-0x0000000000F7A000-memory.dmp
memory/1960-95-0x00000000016C0000-0x000000000223A000-memory.dmp
memory/2604-99-0x0000000000400000-0x000000000059B000-memory.dmp
memory/1960-100-0x00000000016C0000-0x000000000223A000-memory.dmp
memory/1960-101-0x0000000000400000-0x0000000000F7A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nseEFBD.tmp\ioB_english.ini
| MD5 | 897dd2da994474958eb68073ea1004ee |
| SHA1 | c20164256d02c0e96e5a54d7c6774046def626fa |
| SHA256 | 1efa1168b2a396772006f7ccd6b1833862c137055567174e049749c72e408334 |
| SHA512 | 074af5cde982bc044c967ebfc07594365d70c222e4bc582a65cb2e5cc804df2fdb5058dfe296e250abcad1a2ea5ba6bcdc6e20849bb4f7f7ff2973f0357602b3 |
memory/1960-181-0x0000000000400000-0x0000000000F7A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:35
Reported
2025-01-28 03:16
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
144s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4375ccd5831118c67cc584ac6cddb136.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/2616-0-0x0000000002FB0000-0x0000000002FB1000-memory.dmp
memory/2616-1-0x0000000000400000-0x000000000121B000-memory.dmp