Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe
-
Size
9.4MB
-
MD5
e275365c0a8684b5dce1b5b626cb8649
-
SHA1
fdb2e76b53e55f5083774349998815c598074e22
-
SHA256
f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
-
SHA512
3c8f459d5676274bd0e71e263abff0c8f582a8dc83acc3169aabe98ae6538e58162990c1c405bd81d1ef681451f52af5e17e78f589fffac94151fa05e69533d1
-
SSDEEP
196608:dlUuy1BuQSR82yCz4M2p9G3ZkOoh+vbXrKDfjOg/JsXHo4ba+:414QSNyCsG3iOzqWhH/bD
Malware Config
Signatures
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/memory/3464-35-0x00000000000C0000-0x0000000000EFE000-memory.dmp family_sectoprat behavioral2/memory/3464-36-0x00000000000C0000-0x0000000000EFE000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UpdateChecker.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UpdateChecker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UpdateChecker.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3464 UpdateChecker.exe 1804 Snakyheaded.exe -
resource yara_rule behavioral2/files/0x00090000000231fe-6.dat themida behavioral2/memory/3464-35-0x00000000000C0000-0x0000000000EFE000-memory.dmp themida behavioral2/memory/3464-36-0x00000000000C0000-0x0000000000EFE000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UpdateChecker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3464 UpdateChecker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4116 wrote to memory of 3464 4116 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 84 PID 4116 wrote to memory of 3464 4116 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 84 PID 4116 wrote to memory of 3464 4116 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 84 PID 4116 wrote to memory of 1804 4116 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 87 PID 4116 wrote to memory of 1804 4116 e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e275365c0a8684b5dce1b5b626cb8649_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3464
-
-
C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe"C:\Users\Admin\AppData\Local\Temp\Snakyheaded.exe"2⤵
- Executes dropped EXE
PID:1804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD560da19010d8555edc5d5abf7520a0f6f
SHA1cd3494b05643b5cbe42796a00ce0502259c3483a
SHA2569ff2e5069461fdf638a4fa11c6a89ef53b5c65a74bb08dc0f16b46b885f67221
SHA512177dbefaacc714db3a35b112930dba02ff5725563dacde35dbc2ac5914888be302651caf4fe4239ba0b8ea719c29b409daec024cfbd4f91f09a11ce75d92f500
-
Filesize
5.4MB
MD5e3d6dc87f0151a02413405cf24679168
SHA1536c88ef259f430f9982159344878c714408aab0
SHA256473b161ab7fd8802a33d016898f513b190f4e238fcf652755900a182a44a28b7
SHA51282d3dadcc267e0f5f9f31ade49084cc7b56ffc80861d7b124cb6e2e4ec64eceff7d6b02dd6117a342e3bff5045e66a38cae4a940ce6f3c7c6ee4cd90bb81f855