fedefcfd77d1bf5826b7a94d92481c93a35d19db2d24aa61406954a4b61f7b9e

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
Size

6.6MB
MD5

e35575598dc806a16ca43a2e565bbd3d
SHA1

a8494670848886ee5e3cbe2e29c1a549349a9b16
SHA256

fedefcfd77d1bf5826b7a94d92481c93a35d19db2d24aa61406954a4b61f7b9e
SHA512

6df40380dc586043332ffee3eedc5fb270946c8d083b6229dcea421bc3eb7e9a966354718dc78430478f1567776e0a2bdd833a4fb1f3de506ab7a6f22af22de7
SSDEEP

196608:/4CoUiu9Yuw7SEgvOFcjD0azHEWYkjSMzGcb8R:gHUbZw7S9vOFcjLgWfSMFgR

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 5 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2512-28-0x00000000003C0000-0x00000000003E0000-memory.dmp	agile_net
behavioral1/memory/2512-29-0x0000000000F10000-0x0000000000F30000-memory.dmp	agile_net
behavioral1/memory/2512-30-0x0000000000540000-0x000000000054E000-memory.dmp	agile_net
behavioral1/memory/2512-31-0x00000000051E0000-0x000000000524E000-memory.dmp	agile_net
behavioral1/memory/2512-32-0x0000000007450000-0x000000000759A000-memory.dmp	agile_net

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2512-25-0x00000000010C0000-0x0000000001C28000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

pid process

2512 e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2804 2512 WerFault.exe e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

pid	process
2512	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

pid	pid_target	process	target process
2804	2512	WerFault.exe	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description	pid	process	target process
PID 2512 wrote to memory of 2804	2512	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe	WerFault.exe
PID 2512 wrote to memory of 2804	2512	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe	WerFault.exe
PID 2512 wrote to memory of 2804	2512	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe	WerFault.exe
PID 2512 wrote to memory of 2804	2512	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 956
2⤵
- Program crash
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2512-0-0x00000000010C0000-0x0000000001C28000-memory.dmp

Filesize
11.4MB

Download
memory/2512-1-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-3-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-4-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-2-0x0000000076670000-0x00000000766B7000-memory.dmp

Filesize
284KB

Download
memory/2512-6-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-7-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-5-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-8-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-9-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-11-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-12-0x0000000076670000-0x00000000766B7000-memory.dmp

Filesize
284KB

Download
memory/2512-14-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-10-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-16-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-18-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-21-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-23-0x00000000775B0000-0x00000000775B2000-memory.dmp

Filesize
8KB

Download
memory/2512-22-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-20-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-24-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-25-0x00000000010C0000-0x0000000001C28000-memory.dmp

Filesize
11.4MB

Download
memory/2512-26-0x00000000056A0000-0x00000000056E0000-memory.dmp

Filesize
256KB

Download
memory/2512-28-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2512-27-0x0000000005F50000-0x0000000006322000-memory.dmp

Filesize
3.8MB

Download
memory/2512-29-0x0000000000F10000-0x0000000000F30000-memory.dmp

Filesize
128KB

Download
memory/2512-30-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2512-31-0x00000000051E0000-0x000000000524E000-memory.dmp

Filesize
440KB

Download
memory/2512-32-0x0000000007450000-0x000000000759A000-memory.dmp

Filesize
1.3MB

Download
memory/2512-34-0x0000000005370000-0x00000000053A0000-memory.dmp

Filesize
192KB

Download
memory/2512-33-0x00000000079B0000-0x0000000007AC6000-memory.dmp

Filesize
1.1MB

Download
memory/2512-36-0x00000000010C0000-0x0000000001C28000-memory.dmp

Filesize
11.4MB

Download
memory/2512-37-0x0000000076670000-0x00000000766B7000-memory.dmp

Filesize
284KB

Download
memory/2512-38-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-39-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-40-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-41-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-42-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-43-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-45-0x0000000076CA0000-0x0000000076DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-46-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download