ac5960372c1290f60e763f504755f6bf728c39c0dbfed2b31ac1fbd70726c7c3

General

Target

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Size

4.4MB
MD5

faa6ce17ab2c61fc20eb0c2d7ecfc0a0
SHA1

839116fd797120fb7391af4e573cef576d37d18b
SHA256

ac5960372c1290f60e763f504755f6bf728c39c0dbfed2b31ac1fbd70726c7c3
SHA512

3d7d639e246329d9223d290966c4af76d3870d2260c981a8b06ce55f2a89b1ec706daf64aac1dd16816202e1769de438413f592c3c6efb185276637a914fc29a
SSDEEP

98304:n3Hvs9KZsCFA/wmZ9Oq4O6leTcrJftMspqLU1aE2b1u8Y:U9KBMwmZ9OqLbTcrJCU10c8Y

Score

9^/10

bootkit evasion persistence upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\super.dll	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

adb.exeadb.exeadb.exe

pid process

4832 adb.exe
5088 adb.exe
4336 adb.exe

pid	process
4832	adb.exe
5088	adb.exe
4336	adb.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Wine	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

Loads dropped DLL 10 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exeadb.exeadb.exeadb.exe

pid	process
4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
4832	adb.exe
4832	adb.exe
5088	adb.exe
5088	adb.exe
4336	adb.exe
4336	adb.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\super.dll	upx
behavioral2/memory/4024-701-0x0000000011200000-0x00000000113CE000-memory.dmp	upx
behavioral2/memory/4024-936-0x0000000011200000-0x00000000113CE000-memory.dmp	upx
behavioral2/memory/4024-955-0x0000000011200000-0x00000000113CE000-memory.dmp	upx
behavioral2/memory/4024-963-0x0000000011200000-0x00000000113CE000-memory.dmp	upx
behavioral2/memory/4024-964-0x0000000011200000-0x00000000113CE000-memory.dmp	upx
behavioral2/memory/4024-968-0x0000000011200000-0x00000000113CE000-memory.dmp	upx
behavioral2/memory/4024-972-0x0000000011200000-0x00000000113CE000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

pid process

4024 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exeadb.exe

pid process

4024 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
4024 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
4336 adb.exe
4336 adb.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Token: SeDebugPrivilege	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Token: SeDebugPrivilege	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

pid process

4024 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

pid process

4024 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

pid process

4024 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
4024 faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exeadb.exe

description	pid	process	target process
PID 4024 wrote to memory of 4832	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe	adb.exe
PID 4024 wrote to memory of 4832	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe	adb.exe
PID 4024 wrote to memory of 4832	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe	adb.exe
PID 4024 wrote to memory of 5088	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe	adb.exe
PID 4024 wrote to memory of 5088	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe	adb.exe
PID 4024 wrote to memory of 5088	4024	faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe	adb.exe
PID 5088 wrote to memory of 4336	5088	adb.exe	adb.exe
PID 5088 wrote to memory of 4336	5088	adb.exe	adb.exe
PID 5088 wrote to memory of 4336	5088	adb.exe	adb.exe

C:\Users\Admin\AppData\Local\Temp\faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faa6ce17ab2c61fc20eb0c2d7ecfc0a0_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\adb.exe
"C:\Users\Admin\AppData\Roaming\PrimeSunSuper\\dll\adb.exe" kill-server
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4832

C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\adb.exe
"C:\Users\Admin\AppData\Roaming\PrimeSunSuper\\dll\adb.exe" start-server
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\adb.exe
adb fork-server server
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Profile\dll\kitty.dll
Filesize
385KB

MD5
be124bae5f85f5be9632c587a9d5f329

SHA1
d630f43515f45dd29a5d185b1ee4ba2061d2f65a

SHA256
d9aa5e6dcd685b7f55cbcec76752d8c9ef554935f92eb99e833c46829c497dc6

SHA512
74e1bea4ae03d400c4daceb4013f9766e72689d752bc74805d112db815f30e038525c93cb3ad8bbed20e68dafe54b7b21070b3895b14ec784b9132ab2d45a5de

Download Submit
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\AdbWinApi.dll
Filesize
101KB

MD5
296ff4495cc4e2a2280961458ab59a15

SHA1
214040b406d3e5531c65604287c2756d9de65d08

SHA256
c2731a89cce17486aeb37763a337993d61c5e3f6842f7c2e9cc960bd76d40b2a

SHA512
c4bf84c797b65154b5096074b2546643adef7ee6e8026b71a63af2b330c9e6b1017e69d7ebe20d95028334f8aad949047e801f8e4bd336e5853f75ef7959301e

Download Submit
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\AdbWinUsbApi.dll
Filesize
67KB

MD5
9cd0f639a73e981f31f95bd616cf5cb7

SHA1
32de9b60798a34113286c68896e067018cdcf7ac

SHA256
210ab0e6d7ca3a74ea0d43977f4a4bd1e504aef6353c3e5ac5884748dc531462

SHA512
1d37173952e180fdff74a7ab24f89f1206c7bfdca5a3976a41a77eb6daa2ad41ead110deeed6f9c553f7a4335847e30280969557c5f7377e03c54e71a1c9cd7b

Download Submit
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\adb.exe
Filesize
806KB

MD5
f0b9dd3b4e88fb68d449c6eba74f4293

SHA1
1f124ebccda61ba6c26f9d7651cedf2746c055eb

SHA256
c238a7145dd225dfc8695a8a280543e7afb43906dfd935f31ea9a2d0d43a85ee

SHA512
bab7ff0bb4f5ec53cb701191567c7b0b1bf041507a690759f52b89ba1d59d9cee1b13186a2e8966405376e1c464cf8c0c8067b3e89e789d6b98ba72606ec0d88

Download Submit
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\dll\super.dll
Filesize
1.1MB

MD5
f5a2db05c4c061f75117d9032945931b

SHA1
648332f82b69f557f469bfca8595091087eea37d

SHA256
af3b17d7a429e228f97d881c22f24894551eb71a709760428246904cc25fa32a

SHA512
a4c5afe974d60c7e07868e960f4b5d431146627b66b2bbb53e008a3dfd0379cf3c9efec0c384a815c0358b72fa3fd39e0a34fee8c5c9086a6400d6505a067e62

Download Submit
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\ten.cfg
Filesize
26B

MD5
e3f793860c4844f990392f2560d9c41b

SHA1
e940f6a9548ac8f6164232259ddd81c11b47f7a7

SHA256
3c90390e2564e2b1ce4d7722afc823c5a4732b9934fd0206165bd71f658388d9

SHA512
7fa48233ba5d6b67c2c240b96e5f48a41f189aff7a0862b33964616dac9b69acd4a917eb2d2d7f9bd11da51197a529fedc7e9875473dfe0437085e243dc09ea9

Download Submit
C:\Users\Admin\AppData\Roaming\PrimeSunSuper\ten.cfg
Filesize
1KB

MD5
cc13028554770deab759c5b967ca943e

SHA1
c68ecee336e494aac35e1d300fd1c145daafc350

SHA256
fb169527c6a77ca104c6f56f61ae1d54369fd914307268a7dd04b881c2baf478

SHA512
6b2f05e33320fd22850264ce9df92a86623901ff8a634866ebccbc231827383b0ac9bd4b0cb9947de6bc90e8bc1120fe52a13b8d6b1ef3133263781a8b668cd3

Download Submit
memory/2624-8-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2624-7-0x00007FFDC1050000-0x00007FFDC19F1000-memory.dmp

Filesize
9.6MB

Download
memory/2624-9-0x000000001AFB0000-0x000000001B384000-memory.dmp

Filesize
3.8MB

Download
memory/2624-10-0x00007FFDC1050000-0x00007FFDC19F1000-memory.dmp

Filesize
9.6MB

Download
memory/2624-11-0x000000001B670000-0x000000001B7A6000-memory.dmp

Filesize
1.2MB

Download
memory/2624-12-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2624-6-0x0000000001990000-0x00000000019B0000-memory.dmp

Filesize
128KB

Download
memory/2624-937-0x00007FFDC1050000-0x00007FFDC19F1000-memory.dmp

Filesize
9.6MB

Download
memory/2624-938-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2624-943-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/4024-14-0x0000000073250000-0x00000000733FC000-memory.dmp

Filesize
1.7MB

Download
memory/4024-959-0x000000000BCD0000-0x000000000BDD0000-memory.dmp

Filesize
1024KB

Download
memory/4024-19-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4024-17-0x000000000BCD0000-0x000000000BDD0000-memory.dmp

Filesize
1024KB

Download
memory/4024-689-0x0000000011050000-0x00000000110B9000-memory.dmp

Filesize
420KB

Download
memory/4024-16-0x0000000000420000-0x0000000000BEC000-memory.dmp

Filesize
7.8MB

Download
memory/4024-698-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4024-700-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4024-701-0x0000000011200000-0x00000000113CE000-memory.dmp

Filesize
1.8MB

Download
memory/4024-702-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4024-15-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4024-0-0x0000000000420000-0x0000000000BEC000-memory.dmp

Filesize
7.8MB

Download
memory/4024-13-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4024-3-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4024-5-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4024-935-0x0000000011050000-0x00000000110B9000-memory.dmp

Filesize
420KB

Download
memory/4024-936-0x0000000011200000-0x00000000113CE000-memory.dmp

Filesize
1.8MB

Download
memory/4024-4-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4024-2-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4024-975-0x0000000073250000-0x00000000733FC000-memory.dmp

Filesize
1.7MB

Download
memory/4024-1-0x00000000778D4000-0x00000000778D6000-memory.dmp

Filesize
8KB

Download
memory/4024-950-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4024-974-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4024-952-0x0000000073250000-0x00000000733FC000-memory.dmp

Filesize
1.7MB

Download
memory/4024-955-0x0000000011200000-0x00000000113CE000-memory.dmp

Filesize
1.8MB

Download
memory/4024-956-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4024-957-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4024-973-0x0000000000420000-0x0000000000BEC000-memory.dmp

Filesize
7.8MB

Download
memory/4024-18-0x000000000BCD0000-0x000000000BDD0000-memory.dmp

Filesize
1024KB

Download
memory/4024-960-0x000000000BCD0000-0x000000000BDD0000-memory.dmp

Filesize
1024KB

Download
memory/4024-963-0x0000000011200000-0x00000000113CE000-memory.dmp

Filesize
1.8MB

Download
memory/4024-964-0x0000000011200000-0x00000000113CE000-memory.dmp

Filesize
1.8MB

Download
memory/4024-972-0x0000000011200000-0x00000000113CE000-memory.dmp

Filesize
1.8MB

Download
memory/4024-968-0x0000000011200000-0x00000000113CE000-memory.dmp

Filesize
1.8MB

Download
memory/4336-969-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4336-965-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4336-958-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4336-976-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4832-939-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/5088-951-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads