vobfus | 637298a96b71e285cab13eaac31818e1681060fefa15c1ac58e8fe77dcb6be3e

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
Size

139KB
MD5

813ef74a1bca40e5c85900e935fea731
SHA1

647d23f2207938a8805f6b9ef1a0b7239ce80b17
SHA256

637298a96b71e285cab13eaac31818e1681060fefa15c1ac58e8fe77dcb6be3e
SHA512

1c03c1fae8565c759c60dcdf2d7b58b27d45908fd4e36a44b30ae539a766091705f447560d1a19120f10212f50c4c27fc296e0145cea7bc8712c7f48b3d18c15
SSDEEP

3072:oTD000dF8abVEpC/AOcTkv9HEmlj8vXgRbpD1mWNraG1cjouty:cDs/yCoOctml7prxfcjoS

Score

10^/10

vobfus discovery persistence upx worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus
Vobfus family
vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	javaapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	javaapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe

Executes dropped EXE 3 IoCs

pid	Process
2668	javaapp.exe
2384	javaapp.exe
848	javaapp.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskmgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\javaapp.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe"	javaapp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2384	2668	javaapp.exe	94
PID 2668 set thread context of 848	2668	javaapp.exe	95

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5920-0-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/files/0x00070000000242c0-11.dat	upx
behavioral2/memory/5920-19-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/2384-22-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2384-27-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2384-25-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2668-41-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/2384-44-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2384-46-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2384-178-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/2384-203-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	javaapp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5920	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
2668	javaapp.exe
2384	javaapp.exe
848	javaapp.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 5920 wrote to memory of 1844	5920	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	88
PID 5920 wrote to memory of 1844	5920	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	88
PID 5920 wrote to memory of 1844	5920	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	88
PID 1844 wrote to memory of 5588	1844	cmd.exe	92
PID 1844 wrote to memory of 5588	1844	cmd.exe	92
PID 1844 wrote to memory of 5588	1844	cmd.exe	92
PID 5920 wrote to memory of 2668	5920	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	93
PID 5920 wrote to memory of 2668	5920	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	93
PID 5920 wrote to memory of 2668	5920	JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe	93
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 2384	2668	javaapp.exe	94
PID 2668 wrote to memory of 848	2668	javaapp.exe	95
PID 2668 wrote to memory of 848	2668	javaapp.exe	95
PID 2668 wrote to memory of 848	2668	javaapp.exe	95
PID 2668 wrote to memory of 848	2668	javaapp.exe	95
PID 2668 wrote to memory of 848	2668	javaapp.exe	95
PID 2668 wrote to memory of 848	2668	javaapp.exe	95
PID 2668 wrote to memory of 848	2668	javaapp.exe	95
PID 2384 wrote to memory of 5976	2384	javaapp.exe	99
PID 2384 wrote to memory of 5976	2384	javaapp.exe	99
PID 2384 wrote to memory of 5976	2384	javaapp.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_813ef74a1bca40e5c85900e935fea731.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDoNl.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\javaapp.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5588
- C:\Users\Admin\AppData\Roaming\javaapp.exe
  "C:\Users\Admin\AppData\Roaming\javaapp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\javaapp.exe
    C:\Users\Admin\AppData\Roaming\javaapp.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe "C:\Users\Admin\AppData\Roaming\MSWINSCK.OCX" /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:5976
- - C:\Users\Admin\AppData\Roaming\javaapp.exe
    C:\Users\Admin\AppData\Roaming\javaapp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EDoNl.bat

Filesize
138B

MD5
82b9def59f20dc41ad0dee7614a2d65c

SHA1
011c87c566365711f85b7ff526627a1ca9de82a8

SHA256
beb9a0f56d7ae363042417b854c507067793df523857c05460a9906ed93519b8

SHA512
21777dfa785f68091854d946ca5a801bab9a2c572584526d5494517bf9adacb77d5e406de960b8175a626a8a6e14f835b133cbf215279d96aa1b8f8f9099bfb2

Download Submit
C:\Users\Admin\AppData\Roaming\MSWINSCK.OCX

Filesize
11KB

MD5
b7759166a0f1807b202b45f510c2172e

SHA1
ef160ebdf82a6cadd27197fb589a3786e58e3fa5

SHA256
825eb1a627f34c3d1fad85cb5904b5ac0fded65f677c5a85fa992e42c450fd99

SHA512
5085882d85f2d3ab9fa2c2b3bfbde24072ae732b02529946700df1ee92fbafb0e7d305bf21f6034b44012d310495bc7ebd4826b226685a1cc3790b429d0169ec

Download Submit
C:\Users\Admin\AppData\Roaming\javaapp.exe

Filesize
139KB

MD5
813ef74a1bca40e5c85900e935fea731

SHA1
647d23f2207938a8805f6b9ef1a0b7239ce80b17

SHA256
637298a96b71e285cab13eaac31818e1681060fefa15c1ac58e8fe77dcb6be3e

SHA512
1c03c1fae8565c759c60dcdf2d7b58b27d45908fd4e36a44b30ae539a766091705f447560d1a19120f10212f50c4c27fc296e0145cea7bc8712c7f48b3d18c15

Download Submit
memory/848-39-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/848-37-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/848-45-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/848-36-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/848-32-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/848-35-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2384-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-46-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-178-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-203-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2668-41-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5920-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/5920-19-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads