ff6a191388c63a0eba933c1d247db4b07f905728c0204d2f58bdff965c4377f1

General

Target

edc611f836805766cb477277e6503215_JaffaCakes118.exe
Size

4.3MB
MD5

edc611f836805766cb477277e6503215
SHA1

cdb18269fc7201b8b983578249878e4711730452
SHA256

ff6a191388c63a0eba933c1d247db4b07f905728c0204d2f58bdff965c4377f1
SHA512

bbcf04d1ee280d0501d80ab29ddb83c59e8d8f929246beed05495ee72cdcd0d9b2febc5d03188faeb96fa84fec958e9a86ec3a8146d9dbe33bda76697806f3aa
SSDEEP

49152:40rWePspAsProkyNs+hYwzdnAyo8DGLr30bo6hCDB2xECTZCtZEDUJ5KMJqb:ZXmNzokyFhY8May30cHDB2xbZcZ5XK

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	Crazy Captain Malcom Deatherage.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Crazy Captain Malcom Deatherage.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Crazy Captain Malcom Deatherage.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Crazy Captain Malcom Deatherage.exe

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	Crazy Captain Malcom Deatherage.exe

Loads dropped DLL 6 IoCs

pid	Process
2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Crazy Captain Malcom Deatherage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Crazy Captain Malcom Deatherage.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	2532	WerFault.exe	27

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2204	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe
2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe
2532	Crazy Captain Malcom Deatherage.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	Crazy Captain Malcom Deatherage.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2532	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	27
PID 2120 wrote to memory of 2532	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	27
PID 2120 wrote to memory of 2532	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	27
PID 2120 wrote to memory of 2532	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	27
PID 2120 wrote to memory of 2916	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2916	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2916	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2916	2120	edc611f836805766cb477277e6503215_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2204	2916	cmd.exe	30
PID 2916 wrote to memory of 2204	2916	cmd.exe	30
PID 2916 wrote to memory of 2204	2916	cmd.exe	30
PID 2916 wrote to memory of 2204	2916	cmd.exe	30
PID 2532 wrote to memory of 2728	2532	Crazy Captain Malcom Deatherage.exe	34
PID 2532 wrote to memory of 2728	2532	Crazy Captain Malcom Deatherage.exe	34
PID 2532 wrote to memory of 2728	2532	Crazy Captain Malcom Deatherage.exe	34
PID 2532 wrote to memory of 2728	2532	Crazy Captain Malcom Deatherage.exe	34

C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\Crazy Captain Malcom Deatherage.exe
  "C:\Users\Admin\AppData\Local\Temp\Crazy Captain Malcom Deatherage.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 848
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\edc611f836805766cb477277e6503215_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bunifu_UI_v1.5.4.dll

Filesize
207KB

MD5
cfddb85e01988231beb3db5d60bb7511

SHA1
dc36c0461c725008c6c8341bfaf8c4ea63d94df3

SHA256
b3f783c4aceb2609ced9dd79226d7813b5be23a9b2cf4fc79b550dbfc52f9975

SHA512
5e33cc51217e5948d2969a7e1b11f3672d26a3b47c6867c843fdb4de930e6637d00ce05825947defc42242f7a2ae64e904a55472621082085ab4e3261e4525df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crazy Captain Malcom Deatherage.exe

Filesize
4.3MB

MD5
62786fd6de99ee4fe67f5caec99ec22a

SHA1
b4b3787fff05de3394285fd31189ec6dbc4e3a98

SHA256
0b5d0ac0d230f54a16ef18ef5c90108d8cbca04e667246568cbcc7b9f761d74d

SHA512
a37ec181b8a90c940a860c4e1a64c07872260b1c2e88ed4be40f7c02a3ec86bb8785cc5031d583b7737dccc52f08e0d64d1bdfe76948c3fb93858721e255c620

Download Submit
memory/2120-19-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/2120-3-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/2120-4-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/2120-2-0x00000000072A0000-0x000000000772E000-memory.dmp

Filesize
4.6MB

Download
memory/2120-0-0x00000000010D0000-0x0000000001522000-memory.dmp

Filesize
4.3MB

Download
memory/2120-18-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-15-0x0000000001320000-0x0000000001772000-memory.dmp

Filesize
4.3MB

Download
memory/2532-16-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-17-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2532-20-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2532-27-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-28-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads