f58bb7ef51d62cbca14778caffadd854dad7a1a5682cc2016f775310b0464058

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
Size

2.1MB
MD5

fa1af9f89f182ceaf85cdc39a9bb55b9
SHA1

b66a479eaeaf45be1b5bb52968550724d0ef0934
SHA256

f58bb7ef51d62cbca14778caffadd854dad7a1a5682cc2016f775310b0464058
SHA512

7fbf3ea63ef918abce0806512872f8608e9771c5069eade5246623434ed1489f9ae3c1b6c7cf7bb8f5f75f8bb3c5600d5fb4a6d07c38806e6d6e114ecc8c0a7f
SSDEEP

49152:4WFVbrhPYRE7ri2iqfRIIJyiCpVPG/NBOf/WbsWa:xFVbryO7r/fRhIiQVw8/WbsWa

Score

9^/10

bootkit evasion persistence spyware stealer upx vmprotect

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Looks for VMWare services registry key. 1 TTPs 1 IoCs

evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMTools	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023405-24.dat	acprotect

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023405-24.dat	upx
behavioral2/memory/5236-25-0x0000000010000000-0x000000001003A000-memory.dmp	upx
behavioral2/memory/5236-26-0x0000000010000000-0x000000001003A000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/5236-32-0x0000000005370000-0x00000000053E8000-memory.dmp	vmprotect
behavioral2/memory/5236-34-0x0000000005370000-0x00000000053E8000-memory.dmp	vmprotect
behavioral2/files/0x0003000000022f81-31.dat	vmprotect
behavioral2/memory/5236-40-0x0000000005370000-0x00000000053E8000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fUYXlcOY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe"	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
Key deleted	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\{1200ED7F-AB4B-499c-85CF-07E061F0F6CF}	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\{1200ED7F-AB4B-499c-85CF-07E061F0F6CF}\CurrentVersion = "fUYXlcOY"	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\{C4A6F801-1306-4722-AB0D-C8824DDBF4CA}	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\{C4A6F801-1306-4722-AB0D-C8824DDBF4CA}\VerInfo = "=ITM0ADNyAjM"	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
5236	fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa1af9f89f182ceaf85cdc39a9bb55b9_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare services registry key.
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fUYXlcOY\EeAINLA.dll

Filesize
86KB

MD5
e3b51669c995d4f1a321ac84ed1064d0

SHA1
9f20bf6fa1f3124abb240e77bfbcea583d67c117

SHA256
a55e21fe509b0db3d51c6f7faa73c1d06b7d60eaa696e12ef38d5b82c37fd60d

SHA512
8eb05f3800e3da4d1f9e2b447f4e9e3210ef49fe25cf23b0b33371197459704f4bb6bd1fa0dae1e252eb05c363e85c49010f5ad03165a0aff9ce8fcada7335ec

Download Submit
C:\Users\Admin\AppData\Roaming\fUYXlcOY\KFVSSqGS.dll

Filesize
264KB

MD5
b1ac011d37b343798899e3780d08ab49

SHA1
d58b91d255d3b29e6ca016b59b7a6df38ff825cc

SHA256
cc461087c558da2fae0895ad86e7ba46f0734af0cc42c38615f0e9e3fadb4b1b

SHA512
ce0a0ab52b8735f2e40f1f8e4d5babaf624b9c0654885d485fc320228f25f30ce43cf779743bcae7536505feaa700b6e59254b09d15a0bb27267b33a0d35189a

Download Submit
memory/5236-13-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/5236-18-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/5236-4-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/5236-5-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/5236-6-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/5236-7-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/5236-9-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/5236-8-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/5236-10-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/5236-11-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/5236-0-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-12-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/5236-14-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/5236-15-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/5236-16-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-25-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/5236-22-0x0000000004A70000-0x0000000004A72000-memory.dmp

Filesize
8KB

Download
memory/5236-21-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/5236-20-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/5236-19-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/5236-17-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/5236-23-0x0000000004C50000-0x0000000004C52000-memory.dmp

Filesize
8KB

Download
memory/5236-2-0x0000000004940000-0x0000000004942000-memory.dmp

Filesize
8KB

Download
memory/5236-3-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/5236-49-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-28-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/5236-29-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/5236-32-0x0000000005370000-0x00000000053E8000-memory.dmp

Filesize
480KB

Download
memory/5236-34-0x0000000005370000-0x00000000053E8000-memory.dmp

Filesize
480KB

Download
memory/5236-1-0x0000000077654000-0x0000000077656000-memory.dmp

Filesize
8KB

Download
memory/5236-35-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-36-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-38-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-40-0x0000000005370000-0x00000000053E8000-memory.dmp

Filesize
480KB

Download
memory/5236-41-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-43-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-45-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-47-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-26-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/5236-51-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-53-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-55-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-57-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-59-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-61-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download
memory/5236-63-0x0000000000400000-0x000000000083C000-memory.dmp

Filesize
4.2MB

Download