Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-04-2024 01:34

General

  • Target

    ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe

  • Size

    5.8MB

  • MD5

    ac1247ec24ed0024003f6ae568d688f8

  • SHA1

    ed3f14a80e9ff8bdcea62753799304d48e83afa0

  • SHA256

    f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353

  • SHA512

    3e4ea371139f7d4423d54e79805598f7f79e4f053c5bbff6d214045b44c9604db2fb6b1c9695ef75c786b2550176460a70d80be19e451ddc6f0ee910f8c2ee5d

  • SSDEEP

    98304:ucLhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uc1g53HRVu7vHDpS1IqBRU7kCs2q

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac1247ec24ed0024003f6ae568d688f8_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Users\Admin\AppData\Local\Temp\uranigger.exe
      "C:\Users\Admin\AppData\Local\Temp\uranigger.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 844
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3252 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4308

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll

      Filesize

      2.2MB

      MD5

      2d86c4ad18524003d56c1cb27c549ba8

      SHA1

      123007f9337364e044b87deacf6793c2027c8f47

      SHA256

      091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

      SHA512

      0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

    • C:\Users\Admin\AppData\Local\Temp\uranigger.exe

      Filesize

      524KB

      MD5

      10b558706690282a3807ccce1b334e14

      SHA1

      49b7d8c418e6cdd0cc626033b1f02b5b8dd8377e

      SHA256

      87d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9

      SHA512

      4055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295

    • memory/3096-38-0x0000000074EC0000-0x0000000075471000-memory.dmp

      Filesize

      5.7MB

    • memory/3096-31-0x0000000074EC0000-0x0000000075471000-memory.dmp

      Filesize

      5.7MB

    • memory/3096-29-0x00000000019E0000-0x00000000019F0000-memory.dmp

      Filesize

      64KB

    • memory/3096-28-0x0000000074EC0000-0x0000000075471000-memory.dmp

      Filesize

      5.7MB

    • memory/3236-14-0x0000000073BE0000-0x0000000073C3B000-memory.dmp

      Filesize

      364KB

    • memory/3236-13-0x0000000072DF0000-0x00000000733F8000-memory.dmp

      Filesize

      6.0MB

    • memory/3236-0-0x0000000074EC0000-0x0000000075471000-memory.dmp

      Filesize

      5.7MB

    • memory/3236-12-0x0000000072DF0000-0x00000000733F8000-memory.dmp

      Filesize

      6.0MB

    • memory/3236-11-0x00000000777E4000-0x00000000777E6000-memory.dmp

      Filesize

      8KB

    • memory/3236-10-0x0000000072DF0000-0x00000000733F8000-memory.dmp

      Filesize

      6.0MB

    • memory/3236-30-0x0000000074EC0000-0x0000000075471000-memory.dmp

      Filesize

      5.7MB

    • memory/3236-2-0x0000000001480000-0x0000000001490000-memory.dmp

      Filesize

      64KB

    • memory/3236-27-0x0000000072DF0000-0x00000000733F8000-memory.dmp

      Filesize

      6.0MB

    • memory/3236-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

      Filesize

      5.7MB