Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
fd49374b6bf5ddfcf665a110da75f127
-
SHA1
b45353452bc2d9e1a93fd35a4438f97a068af1bf
-
SHA256
c2f96661a63e6a894a46ae5bf83f85c3f9fa74cf20cc7b6d34b4888289ea7ae4
-
SHA512
a43d9e63b4d1dff27e03fda00f347dabbf640c1a5e51397a15662a48050decbd8f908b8e63f16de75bafbe1ab0fece3fb689ced3d503e0a406a30b12997d2d50
-
SSDEEP
49152:k6MLyu3iyTEk+EPmk4O+jJWuuiA2TxyNwycImYYNZ:ktGwiq+EP+ZnuiA21yNw3Imd/
Malware Config
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe -
Renames multiple (204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\U: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\K: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\B: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\M: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\Q: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\E: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\I: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\P: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\A: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\G: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\H: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\W: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\T: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\J: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\L: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\Z: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\X: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\O: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\S: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\N: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\Y: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe File opened (read-only) \??\V: fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2964 vssadmin.exe 2884 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2540 vssvc.exe Token: SeRestorePrivilege 2540 vssvc.exe Token: SeAuditPrivilege 2540 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2512 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2512 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2512 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2512 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 28 PID 2512 wrote to memory of 2964 2512 cmd.exe 30 PID 2512 wrote to memory of 2964 2512 cmd.exe 30 PID 2512 wrote to memory of 2964 2512 cmd.exe 30 PID 2896 wrote to memory of 520 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 34 PID 2896 wrote to memory of 520 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 34 PID 2896 wrote to memory of 520 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 34 PID 2896 wrote to memory of 520 2896 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe 34 PID 520 wrote to memory of 2884 520 cmd.exe 36 PID 520 wrote to memory of 2884 520 cmd.exe 36 PID 520 wrote to memory of 2884 520 cmd.exe 36 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2884
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5593315f8f4d3337a6fa10980eb1a8459
SHA1d4865a0c50b100f817e147541efcdca7a34e4fbd
SHA2569fc95ab4b5f6e41aeb79aa5e77bb97e28e38df4eba77f5797b8a28749c005f26
SHA51260e7ebf8729701c4a022708b399bb250eb4622a7b7d8e9ba636f65bc163622243f92997ee9b88ec47b57176dad0c966e0d8c2a51aa00de5ee80fc65d2ca3b469