Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 01:34
Behavioral task
behavioral1
Sample
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe
-
Size
5.8MB
-
MD5
ac1247ec24ed0024003f6ae568d688f8
-
SHA1
ed3f14a80e9ff8bdcea62753799304d48e83afa0
-
SHA256
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353
-
SHA512
3e4ea371139f7d4423d54e79805598f7f79e4f053c5bbff6d214045b44c9604db2fb6b1c9695ef75c786b2550176460a70d80be19e451ddc6f0ee910f8c2ee5d
-
SSDEEP
98304:ucLhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uc1g53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
uranigger.exepid process 3096 uranigger.exe -
Loads dropped DLL 1 IoCs
Processes:
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exepid process 3236 ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\uranigger.exe agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll themida behavioral2/memory/3236-10-0x0000000072DF0000-0x00000000733F8000-memory.dmp themida behavioral2/memory/3236-12-0x0000000072DF0000-0x00000000733F8000-memory.dmp themida behavioral2/memory/3236-13-0x0000000072DF0000-0x00000000733F8000-memory.dmp themida behavioral2/memory/3236-27-0x0000000072DF0000-0x00000000733F8000-memory.dmp themida -
Processes:
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exepid process 3236 ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 1720 dw20.exe Token: SeBackupPrivilege 1720 dw20.exe Token: SeBackupPrivilege 1720 dw20.exe Token: SeBackupPrivilege 1720 dw20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exeuranigger.exedescription pid process target process PID 3236 wrote to memory of 3096 3236 ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe uranigger.exe PID 3236 wrote to memory of 3096 3236 ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe uranigger.exe PID 3236 wrote to memory of 3096 3236 ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe uranigger.exe PID 3096 wrote to memory of 1720 3096 uranigger.exe dw20.exe PID 3096 wrote to memory of 1720 3096 uranigger.exe dw20.exe PID 3096 wrote to memory of 1720 3096 uranigger.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\uranigger.exe"C:\Users\Admin\AppData\Local\Temp\uranigger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8443⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3252 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:81⤵PID:4308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
524KB
MD510b558706690282a3807ccce1b334e14
SHA149b7d8c418e6cdd0cc626033b1f02b5b8dd8377e
SHA25687d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9
SHA5124055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295