Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2024, 03:03
Behavioral task
behavioral1
Sample
eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe
Resource
win7-20240221-en
8 signatures
150 seconds
General
-
Target
eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe
-
Size
3.9MB
-
MD5
eefa6d65ae3c059aeda47da1b1ebe5f3
-
SHA1
abda62e405e16966348c7894143054c24452ac8b
-
SHA256
6c1287c0a1d7c8912b6e7eb6588921931e7f5e0b108ed6e87a7fa796bdcc6137
-
SHA512
3ac55072079cb5c1ed3e005f26dfee89fd55c8cbac45c475bf8b79b9340da880b199ddd4802990c87cc5c557c1e49780d303901c7f3c9c3ada66574843a8345b
-
SSDEEP
98304:8xYHAUZD71KzPZS6Wd0PNPoyAb44/jVSV4UpLeNKt3cA:sJUT+Z/OQoyAk4URNeNKxD
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/2044-12-0x00000000003C0000-0x0000000000BD4000-memory.dmp family_zgrat_v1 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/2044-12-0x00000000003C0000-0x0000000000BD4000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2044 eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2044 eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eefa6d65ae3c059aeda47da1b1ebe5f3_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:81⤵PID:2192