Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 17:07
Behavioral task
behavioral1
Sample
fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe
-
Size
786KB
-
MD5
fd37932be7cadd7b8295e8540a543802
-
SHA1
10962017f617ca840f96a386663d99b1e86d996f
-
SHA256
fd735f45bb33b4ff724a71528c1833ba3fbc1327081349db0e4a0378213073df
-
SHA512
c1634ae47dc8151ca5ba47f3075daadedc783ca358fadba9b02d9697f155734681a80b73aca871ff4455b48d8f6872431ced8bb56e67ff10b9ae6ea5df0efb3f
-
SSDEEP
24576:u+YENwEP5EcmsU8PU6IqHHyMWVdV1FBXPKfa:vNwER08P3IISMW7DXPK
Malware Config
Signatures
-
Looks for VMWare drivers on disk 2 TTPs 1 IoCs
description ioc Process File opened (read-only) C:\Windows\SysWOW64\drivers\vmmouse.sys fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000c00000001224c-8.dat acprotect -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe -
Loads dropped DLL 8 IoCs
pid Process 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2904-0-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/2904-2-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/2712-53-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/2904-50-0x0000000000400000-0x0000000000592000-memory.dmp themida -
resource yara_rule behavioral1/files/0x000c00000001224c-8.dat upx behavioral1/memory/2624-35-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2904-52-0x0000000004170000-0x0000000004302000-memory.dmp upx behavioral1/memory/2624-43-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2624-30-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2904 set thread context of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2604 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2604 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2604 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2604 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2712 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2712 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2712 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2712 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2624 2904 fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"1⤵
- Looks for VMWare drivers on disk
- Identifies Wine through registry keys
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"2⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe"2⤵PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\fd37932be7cadd7b8295e8540a543802_JaffaCakes118.exe?2⤵PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d02bc5e49dcbdeb20edda49f984c4ece
SHA1533469beb0c49e364e277a29eb80a8207ddd164c
SHA2560daa40b9b6da489521e3d919e024984c826c4c49caf3a21cc77178651b0dfbf9
SHA51255233a019c291bb991aaf7e90826518f8d60bc423d85b4f18bc4b7f583f8832e4c1a5a5530843532860a7c2cd7d96bfcf3091e126d0996ade35ab93c39d6125a