fedefcfd77d1bf5826b7a94d92481c93a35d19db2d24aa61406954a4b61f7b9e

General

Target

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
Size

6.6MB
MD5

e35575598dc806a16ca43a2e565bbd3d
SHA1

a8494670848886ee5e3cbe2e29c1a549349a9b16
SHA256

fedefcfd77d1bf5826b7a94d92481c93a35d19db2d24aa61406954a4b61f7b9e
SHA512

6df40380dc586043332ffee3eedc5fb270946c8d083b6229dcea421bc3eb7e9a966354718dc78430478f1567776e0a2bdd833a4fb1f3de506ab7a6f22af22de7
SSDEEP

196608:/4CoUiu9Yuw7SEgvOFcjD0azHEWYkjSMzGcb8R:gHUbZw7S9vOFcjLgWfSMFgR

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 5 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2344-16-0x0000000005AB0000-0x0000000005AD0000-memory.dmp	agile_net
behavioral2/memory/2344-17-0x0000000005FF0000-0x0000000006010000-memory.dmp	agile_net
behavioral2/memory/2344-18-0x0000000005C40000-0x0000000005C4E000-memory.dmp	agile_net
behavioral2/memory/2344-19-0x0000000006020000-0x000000000608E000-memory.dmp	agile_net
behavioral2/memory/2344-20-0x0000000007B50000-0x0000000007C9A000-memory.dmp	agile_net

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2344-9-0x0000000000890000-0x00000000013F8000-memory.dmp	themida
behavioral2/memory/2344-24-0x0000000000890000-0x00000000013F8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

pid process

2344 e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

692 2344 WerFault.exe e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

pid	process
2344	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

pid	pid_target	process	target process
692	2344	WerFault.exe	e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e35575598dc806a16ca43a2e565bbd3d_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1460
2⤵
- Program crash
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2344 -ip 2344
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-0-0x0000000000890000-0x00000000013F8000-memory.dmp

Filesize
11.4MB

Download
memory/2344-1-0x0000000076B80000-0x0000000076C70000-memory.dmp

Filesize
960KB

Download
memory/2344-2-0x0000000076B80000-0x0000000076C70000-memory.dmp

Filesize
960KB

Download
memory/2344-3-0x00000000778C2000-0x00000000778C3000-memory.dmp

Filesize
4KB

Download
memory/2344-4-0x0000000076B80000-0x0000000076C70000-memory.dmp

Filesize
960KB

Download
memory/2344-5-0x00000000778C4000-0x00000000778C6000-memory.dmp

Filesize
8KB

Download
memory/2344-9-0x0000000000890000-0x00000000013F8000-memory.dmp

Filesize
11.4MB

Download
memory/2344-10-0x0000000005970000-0x0000000005A0C000-memory.dmp

Filesize
624KB

Download
memory/2344-11-0x0000000006090000-0x0000000006634000-memory.dmp

Filesize
5.6MB

Download
memory/2344-12-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/2344-14-0x0000000005C60000-0x0000000005CB6000-memory.dmp

Filesize
344KB

Download
memory/2344-13-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/2344-15-0x0000000006640000-0x0000000006A12000-memory.dmp

Filesize
3.8MB

Download
memory/2344-16-0x0000000005AB0000-0x0000000005AD0000-memory.dmp

Filesize
128KB

Download
memory/2344-17-0x0000000005FF0000-0x0000000006010000-memory.dmp

Filesize
128KB

Download
memory/2344-18-0x0000000005C40000-0x0000000005C4E000-memory.dmp

Filesize
56KB

Download
memory/2344-19-0x0000000006020000-0x000000000608E000-memory.dmp

Filesize
440KB

Download
memory/2344-20-0x0000000007B50000-0x0000000007C9A000-memory.dmp

Filesize
1.3MB

Download
memory/2344-21-0x0000000008F50000-0x0000000009066000-memory.dmp

Filesize
1.1MB

Download
memory/2344-22-0x0000000009070000-0x00000000090A0000-memory.dmp

Filesize
192KB

Download
memory/2344-25-0x0000000076B80000-0x0000000076C70000-memory.dmp

Filesize
960KB

Download
memory/2344-24-0x0000000000890000-0x00000000013F8000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads