Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 15:34
Static task
static1
Behavioral task
behavioral1
Sample
eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe
-
Size
900KB
-
MD5
eb65763fbd4c28c3afac6d08ab63c318
-
SHA1
9297b49103ab3beff2851a441b4458a58a986fcc
-
SHA256
2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff
-
SHA512
3397ec9a0b04e8c43bfabe1fbf30894e4bd973a46488252e6223ad4e41c869c5bf08aa4194b5f492f90c489909819ec6ae1e8dafbeb226470416a16d557f6288
-
SSDEEP
12288:W22iNv4sjaq8c+6Rq0mHtRAex8AIb2IRzQqX2Su9Oqql6c+NnHIbwhgT16Ovl:R1usjatrgPeyNcqXMjqlxEH+wlO
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot1912175024:AAFyX2DSTB35kTZDCQUzmiHwTx6F5gwOlaE/sendMessage?chat_id=1854909459
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions rat.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools rat.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation rat.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 3 IoCs
pid Process 3260 rat.exe 2220 rat.exe 3828 rat.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rat.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2472 set thread context of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 3260 set thread context of 3828 3260 rat.exe 109 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3428 schtasks.exe 4508 schtasks.exe 4324 schtasks.exe 4928 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 632 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1468 tasklist.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3828 rat.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 3260 rat.exe 3260 rat.exe 3260 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe 3828 rat.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Token: SeDebugPrivilege 3424 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe Token: SeDebugPrivilege 1468 tasklist.exe Token: SeDebugPrivilege 3260 rat.exe Token: SeDebugPrivilege 3828 rat.exe Token: SeDebugPrivilege 3828 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3828 rat.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2472 wrote to memory of 3428 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 93 PID 2472 wrote to memory of 3428 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 93 PID 2472 wrote to memory of 3428 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 93 PID 2472 wrote to memory of 2932 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 95 PID 2472 wrote to memory of 2932 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 95 PID 2472 wrote to memory of 2932 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 95 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 2472 wrote to memory of 3424 2472 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 96 PID 3424 wrote to memory of 4508 3424 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 98 PID 3424 wrote to memory of 4508 3424 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 98 PID 3424 wrote to memory of 4508 3424 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 98 PID 3424 wrote to memory of 1636 3424 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 100 PID 3424 wrote to memory of 1636 3424 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 100 PID 3424 wrote to memory of 1636 3424 eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe 100 PID 1636 wrote to memory of 1468 1636 cmd.exe 102 PID 1636 wrote to memory of 1468 1636 cmd.exe 102 PID 1636 wrote to memory of 1468 1636 cmd.exe 102 PID 1636 wrote to memory of 856 1636 cmd.exe 103 PID 1636 wrote to memory of 856 1636 cmd.exe 103 PID 1636 wrote to memory of 856 1636 cmd.exe 103 PID 1636 wrote to memory of 632 1636 cmd.exe 104 PID 1636 wrote to memory of 632 1636 cmd.exe 104 PID 1636 wrote to memory of 632 1636 cmd.exe 104 PID 1636 wrote to memory of 3260 1636 cmd.exe 105 PID 1636 wrote to memory of 3260 1636 cmd.exe 105 PID 1636 wrote to memory of 3260 1636 cmd.exe 105 PID 3260 wrote to memory of 4324 3260 rat.exe 106 PID 3260 wrote to memory of 4324 3260 rat.exe 106 PID 3260 wrote to memory of 4324 3260 rat.exe 106 PID 3260 wrote to memory of 2220 3260 rat.exe 108 PID 3260 wrote to memory of 2220 3260 rat.exe 108 PID 3260 wrote to memory of 2220 3260 rat.exe 108 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3260 wrote to memory of 3828 3260 rat.exe 109 PID 3828 wrote to memory of 4928 3828 rat.exe 111 PID 3828 wrote to memory of 4928 3828 rat.exe 111 PID 3828 wrote to memory of 4928 3828 rat.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEAAE.tmp"2⤵
- Creates scheduled task(s)
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe"{path}"2⤵PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"3⤵
- Creates scheduled task(s)
PID:4508
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF898.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF898.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\tasklist.exeTasklist /fi "PID eq 3424"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\SysWOW64\find.exefind ":"4⤵PID:856
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:632
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"4⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA042.tmp"5⤵
- Creates scheduled task(s)
PID:4324
-
-
C:\Users\ToxicEye\rat.exe"{path}"5⤵
- Executes dropped EXE
PID:2220
-
-
C:\Users\ToxicEye\rat.exe"{path}"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"6⤵
- Creates scheduled task(s)
PID:4928
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eb65763fbd4c28c3afac6d08ab63c318_JaffaCakes118.exe.log
Filesize1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
Filesize
1KB
MD5833ff643adca72b09345825ae253c722
SHA1de1c07138670bfca1909a2592649f8ba5b47666d
SHA256b6ad0c3b23932de48215bc48410446af3a6076da2ab52003b5739c4a382b6908
SHA51223825f2fd372190a2cbe19e6c58e41db2913d2794ec1252284fdd010993b7dd42f5dd5900711d769a1e1c0ede7757bf042997cc19ef4d8b87c9d69507f486211
-
Filesize
223B
MD59c539efb6d7712ab53af032aa206d896
SHA1701787be159b5a0dff2e4507ead31bd1a86f6441
SHA2564ca9d3bc74f3bc44c4574b2af5a6d4e3cc1512058ed1412ef10823744332ced3
SHA51240ae6583acfb4a1ac6fb1604c828243f6b928e6097e75260b1292a352e7215e33e5eb3f47c0becef63781989cf7039accadc0780dc6212d2fa07fdddf9f173d9
-
Filesize
900KB
MD5eb65763fbd4c28c3afac6d08ab63c318
SHA19297b49103ab3beff2851a441b4458a58a986fcc
SHA2562aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff
SHA5123397ec9a0b04e8c43bfabe1fbf30894e4bd973a46488252e6223ad4e41c869c5bf08aa4194b5f492f90c489909819ec6ae1e8dafbeb226470416a16d557f6288