vobfus | 637298a96b71e285cab13eaac31818e1681060fefa15c1ac58e8fe77dcb6be3e

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
Size

139KB
MD5

813ef74a1bca40e5c85900e935fea731
SHA1

647d23f2207938a8805f6b9ef1a0b7239ce80b17
SHA256

637298a96b71e285cab13eaac31818e1681060fefa15c1ac58e8fe77dcb6be3e
SHA512

1c03c1fae8565c759c60dcdf2d7b58b27d45908fd4e36a44b30ae539a766091705f447560d1a19120f10212f50c4c27fc296e0145cea7bc8712c7f48b3d18c15
SSDEEP

3072:oTD000dF8abVEpC/AOcTkv9HEmlj8vXgRbpD1mWNraG1cjouty:cDs/yCoOctml7prxfcjoS

Score

10^/10

vobfus discovery persistence upx worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus
Vobfus family
vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	javaapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	javaapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe

Executes dropped EXE 3 IoCs

pid	Process
2728	javaapp.exe
2832	javaapp.exe
2644	javaapp.exe

Loads dropped DLL 7 IoCs

pid	Process
1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
2728	javaapp.exe
2728	javaapp.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\javaapp.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2832	2728	javaapp.exe	34
PID 2728 set thread context of 2644	2728	javaapp.exe	35

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1904-0-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/files/0x0008000000012116-20.dat	upx
behavioral1/memory/1904-22-0x0000000003780000-0x000000000383E000-memory.dmp	upx
behavioral1/memory/1904-38-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2728-41-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2832-44-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2832-48-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2832-50-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2728-61-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2832-68-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2832-74-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2832-202-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	javaapp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
2728	javaapp.exe
2832	javaapp.exe
2644	javaapp.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1004	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	30
PID 1904 wrote to memory of 1004	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	30
PID 1904 wrote to memory of 1004	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	30
PID 1904 wrote to memory of 1004	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	30
PID 1004 wrote to memory of 2820	1004	cmd.exe	32
PID 1004 wrote to memory of 2820	1004	cmd.exe	32
PID 1004 wrote to memory of 2820	1004	cmd.exe	32
PID 1004 wrote to memory of 2820	1004	cmd.exe	32
PID 1904 wrote to memory of 2728	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	33
PID 1904 wrote to memory of 2728	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	33
PID 1904 wrote to memory of 2728	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	33
PID 1904 wrote to memory of 2728	1904	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	33
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2832	2728	javaapp.exe	34
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2728 wrote to memory of 2644	2728	javaapp.exe	35
PID 2832 wrote to memory of 1912	2832	javaapp.exe	38
PID 2832 wrote to memory of 1912	2832	javaapp.exe	38
PID 2832 wrote to memory of 1912	2832	javaapp.exe	38
PID 2832 wrote to memory of 1912	2832	javaapp.exe	38
PID 2832 wrote to memory of 1912	2832	javaapp.exe	38
PID 2832 wrote to memory of 1912	2832	javaapp.exe	38
PID 2832 wrote to memory of 1912	2832	javaapp.exe	38

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ivMwk.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javaapp.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Users\Admin\AppData\Roaming\javaapp.exe
  "C:\Users\Admin\AppData\Roaming\javaapp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Roaming\javaapp.exe
    C:\Users\Admin\AppData\Roaming\javaapp.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe "C:\Users\Admin\AppData\Roaming\MSWINSCK.OCX" /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
- - C:\Users\Admin\AppData\Roaming\javaapp.exe
    C:\Users\Admin\AppData\Roaming\javaapp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ivMwk.bat

Filesize
138B

MD5
82b9def59f20dc41ad0dee7614a2d65c

SHA1
011c87c566365711f85b7ff526627a1ca9de82a8

SHA256
beb9a0f56d7ae363042417b854c507067793df523857c05460a9906ed93519b8

SHA512
21777dfa785f68091854d946ca5a801bab9a2c572584526d5494517bf9adacb77d5e406de960b8175a626a8a6e14f835b133cbf215279d96aa1b8f8f9099bfb2

Download Submit
C:\Users\Admin\AppData\Roaming\MSWINSCK.OCX

Filesize
11KB

MD5
b7759166a0f1807b202b45f510c2172e

SHA1
ef160ebdf82a6cadd27197fb589a3786e58e3fa5

SHA256
825eb1a627f34c3d1fad85cb5904b5ac0fded65f677c5a85fa992e42c450fd99

SHA512
5085882d85f2d3ab9fa2c2b3bfbde24072ae732b02529946700df1ee92fbafb0e7d305bf21f6034b44012d310495bc7ebd4826b226685a1cc3790b429d0169ec

Download Submit
\Users\Admin\AppData\Roaming\javaapp.exe

Filesize
139KB

MD5
813ef74a1bca40e5c85900e935fea731

SHA1
647d23f2207938a8805f6b9ef1a0b7239ce80b17

SHA256
637298a96b71e285cab13eaac31818e1681060fefa15c1ac58e8fe77dcb6be3e

SHA512
1c03c1fae8565c759c60dcdf2d7b58b27d45908fd4e36a44b30ae539a766091705f447560d1a19120f10212f50c4c27fc296e0145cea7bc8712c7f48b3d18c15

Download Submit
memory/1904-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1904-22-0x0000000003780000-0x000000000383E000-memory.dmp

Filesize
760KB

Download
memory/1904-35-0x0000000003780000-0x000000000383E000-memory.dmp

Filesize
760KB

Download
memory/1904-38-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2644-55-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2644-71-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2644-52-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2644-56-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2644-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2728-61-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2728-51-0x0000000002AF0000-0x0000000002BAE000-memory.dmp

Filesize
760KB

Download
memory/2728-41-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2832-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-202-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads