940e0a6d5e959c50b652271c0d0d3b4b25dfe7e0d5f2982672e8b914df8ddc1c

General

Target

fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe
Size

1.1MB
MD5

fe252783eb4ed83dd9bceea085c54d90
SHA1

2c2a92508d70a39a23705ba883003815e3a99c85
SHA256

940e0a6d5e959c50b652271c0d0d3b4b25dfe7e0d5f2982672e8b914df8ddc1c
SHA512

cc83c8631c7b89c05c845da7dcf45114c9c27a76bb6f4c88c323591aad12937dbc1280521e05cb2451dcb9a3f68f65579b2e214cac257c18af9cc0d9d897ed90
SSDEEP

24576:gl00YjCRKqYRqrVkJDEC9zgkKm834q0rg5DxroKyGNY+yrkGY:wYGQTqxkJDx5FlJFrUD1oKyG2+yrkGY

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe
1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe
1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2476	1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2476	1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2476	1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2476	1720	fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del fe252783eb4ed83dd9bceea085c54d90_JaffaCakes118.exe
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-0-0x0000000000400000-0x0000000000699000-memory.dmp

Filesize
2.6MB

Download
memory/1720-1-0x00000000777F0000-0x00000000777F2000-memory.dmp

Filesize
8KB

Download
memory/1720-2-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1720-3-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1720-4-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1720-5-0x0000000004250000-0x0000000004252000-memory.dmp

Filesize
8KB

Download
memory/1720-15-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/1720-14-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1720-13-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1720-12-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/1720-11-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/1720-10-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1720-9-0x0000000004070000-0x0000000004072000-memory.dmp

Filesize
8KB

Download
memory/1720-8-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/1720-7-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/1720-6-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/1720-23-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/1720-24-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1720-22-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/1720-21-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1720-20-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/1720-19-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1720-18-0x00000000044E0000-0x00000000044E2000-memory.dmp

Filesize
8KB

Download
memory/1720-17-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1720-16-0x0000000000400000-0x0000000000699000-memory.dmp

Filesize
2.6MB

Download
memory/1720-31-0x00000000040C0000-0x00000000040C2000-memory.dmp

Filesize
8KB

Download
memory/1720-32-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/1720-33-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1720-34-0x0000000000400000-0x0000000000699000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads