Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
fa81aab0bc348b79744852e65e2043df
-
SHA1
fa65b1b8b689a41822d84a588d17226ca233564c
-
SHA256
1137a722df5bf7b96cdbf121282b328f429b895aa60f8a0caf120177303e1299
-
SHA512
b01fd9cf2ae7964d4bead4197cf3bf8a77900ff7d2ce6fe9397a81e4a3988a88e9cc07fe121c696cc855a61944aac5e3b10289579307fd51006e324b2737b374
-
SSDEEP
24576:NdeAPk5uFFgUBEGobZE1yeIeZPoVWwO2ha1:XeekuFFHEGobq1RJZPoVWdv
Malware Config
Extracted
asyncrat
0.5.7B
Default
51.143.89.185:8080
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
2e31a76-d46e-4625-bee5-4fb923fc49f5.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2568-1-0x0000000000A70000-0x0000000000D00000-memory.dmp family_asyncrat behavioral2/memory/2568-3-0x0000000000A70000-0x0000000000D00000-memory.dmp family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exepid process 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fa81aab0bc348b79744852e65e2043df_JaffaCakes118.execmd.exedescription pid process target process PID 2568 wrote to memory of 2016 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe cmd.exe PID 2568 wrote to memory of 2016 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe cmd.exe PID 2568 wrote to memory of 2016 2568 fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe cmd.exe PID 2016 wrote to memory of 3344 2016 cmd.exe schtasks.exe PID 2016 wrote to memory of 3344 2016 cmd.exe schtasks.exe PID 2016 wrote to memory of 3344 2016 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa81aab0bc348b79744852e65e2043df_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "2e31a76-d46e-4625-bee5-4fb923fc49f5" /tr '"C:\Users\Admin\AppData\Local\Temp\2e31a76-d46e-4625-bee5-4fb923fc49f5.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "2e31a76-d46e-4625-bee5-4fb923fc49f5" /tr '"C:\Users\Admin\AppData\Local\Temp\2e31a76-d46e-4625-bee5-4fb923fc49f5.exe"'3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2568-0-0x0000000000A70000-0x0000000000D00000-memory.dmpFilesize
2.6MB
-
memory/2568-2-0x0000000074850000-0x0000000075000000-memory.dmpFilesize
7.7MB
-
memory/2568-1-0x0000000000A70000-0x0000000000D00000-memory.dmpFilesize
2.6MB
-
memory/2568-3-0x0000000000A70000-0x0000000000D00000-memory.dmpFilesize
2.6MB
-
memory/2568-4-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB
-
memory/2568-5-0x0000000007260000-0x00000000072FC000-memory.dmpFilesize
624KB
-
memory/2568-8-0x0000000000A70000-0x0000000000D00000-memory.dmpFilesize
2.6MB
-
memory/2568-9-0x0000000074850000-0x0000000075000000-memory.dmpFilesize
7.7MB
-
memory/2568-10-0x0000000007390000-0x00000000073A0000-memory.dmpFilesize
64KB