75ced5a4e9c5a9517dc6a8bc1652c3a4dd4a8de59e3e770b1989069038c5ab30

General

Target

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
Size

1.4MB
MD5

fe5841db0071bf7c34399d6ca86e23c4
SHA1

c2d841b78f213e78c82dcf1ce080caea1dcfce94
SHA256

75ced5a4e9c5a9517dc6a8bc1652c3a4dd4a8de59e3e770b1989069038c5ab30
SHA512

e4c769758622ee15b95dd7ecde273379ceaa638ddc4494e7a8694eaba26227eb511420c7c47033eb93c9029547887907109e4ae66c68f019c4e798082d1d672d
SSDEEP

24576:q6mEIERW91TbmooLXQT58PQKmPh7sh4F45V6UVYPXtxFDiV+uFk51e:qC9RWPvmUq4KmPhC4CV6UVQxVQ5

Score

9^/10

agilenet discovery evasion spyware stealer

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Wine	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4944-2-0x0000000000820000-0x0000000000BC8000-memory.dmp	agile_net
behavioral2/memory/4944-4-0x0000000000820000-0x0000000000BC8000-memory.dmp	agile_net
behavioral2/memory/4944-22-0x0000000000820000-0x0000000000BC8000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

pid process

4944 fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

pid	process
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3088	wmic.exe
Token: SeSecurityPrivilege	3088	wmic.exe
Token: SeTakeOwnershipPrivilege	3088	wmic.exe
Token: SeLoadDriverPrivilege	3088	wmic.exe
Token: SeSystemProfilePrivilege	3088	wmic.exe
Token: SeSystemtimePrivilege	3088	wmic.exe
Token: SeProfSingleProcessPrivilege	3088	wmic.exe
Token: SeIncBasePriorityPrivilege	3088	wmic.exe
Token: SeCreatePagefilePrivilege	3088	wmic.exe
Token: SeBackupPrivilege	3088	wmic.exe
Token: SeRestorePrivilege	3088	wmic.exe
Token: SeShutdownPrivilege	3088	wmic.exe
Token: SeDebugPrivilege	3088	wmic.exe
Token: SeSystemEnvironmentPrivilege	3088	wmic.exe
Token: SeRemoteShutdownPrivilege	3088	wmic.exe
Token: SeUndockPrivilege	3088	wmic.exe
Token: SeManageVolumePrivilege	3088	wmic.exe
Token: 33	3088	wmic.exe
Token: 34	3088	wmic.exe
Token: 35	3088	wmic.exe
Token: 36	3088	wmic.exe
Token: SeIncreaseQuotaPrivilege	3088	wmic.exe
Token: SeSecurityPrivilege	3088	wmic.exe
Token: SeTakeOwnershipPrivilege	3088	wmic.exe
Token: SeLoadDriverPrivilege	3088	wmic.exe
Token: SeSystemProfilePrivilege	3088	wmic.exe
Token: SeSystemtimePrivilege	3088	wmic.exe
Token: SeProfSingleProcessPrivilege	3088	wmic.exe
Token: SeIncBasePriorityPrivilege	3088	wmic.exe
Token: SeCreatePagefilePrivilege	3088	wmic.exe
Token: SeBackupPrivilege	3088	wmic.exe
Token: SeRestorePrivilege	3088	wmic.exe
Token: SeShutdownPrivilege	3088	wmic.exe
Token: SeDebugPrivilege	3088	wmic.exe
Token: SeSystemEnvironmentPrivilege	3088	wmic.exe
Token: SeRemoteShutdownPrivilege	3088	wmic.exe
Token: SeUndockPrivilege	3088	wmic.exe
Token: SeManageVolumePrivilege	3088	wmic.exe
Token: 33	3088	wmic.exe
Token: 34	3088	wmic.exe
Token: 35	3088	wmic.exe
Token: 36	3088	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe

description	pid	process	target process
PID 4944 wrote to memory of 3088	4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe	wmic.exe
PID 4944 wrote to memory of 3088	4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe	wmic.exe
PID 4944 wrote to memory of 3088	4944	fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe5841db0071bf7c34399d6ca86e23c4_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4944-0-0x0000000000820000-0x0000000000BC8000-memory.dmp

Filesize
3.7MB

Download
memory/4944-1-0x0000000077984000-0x0000000077986000-memory.dmp

Filesize
8KB

Download
memory/4944-2-0x0000000000820000-0x0000000000BC8000-memory.dmp

Filesize
3.7MB

Download
memory/4944-3-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/4944-4-0x0000000000820000-0x0000000000BC8000-memory.dmp

Filesize
3.7MB

Download
memory/4944-5-0x0000000009560000-0x0000000009570000-memory.dmp

Filesize
64KB

Download
memory/4944-6-0x0000000009770000-0x0000000009802000-memory.dmp

Filesize
584KB

Download
memory/4944-22-0x0000000000820000-0x0000000000BC8000-memory.dmp

Filesize
3.7MB

Download
memory/4944-23-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads