Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 00:19
Static task
static1
Behavioral task
behavioral1
Sample
03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
-
Size
623KB
-
MD5
03f669513b56351a79abe8daa45ade86
-
SHA1
74ed9dfc5aa07d8b22452e455db15f4f1bfe3622
-
SHA256
97c1579679535e7a709475d4dc3b6e5154b5ea3e18f8a5b3379fc62930387290
-
SHA512
a3421ca5c8d5dd44ddb91375d199d5e7b7c9241e4269d7e90e5f9b19bf6b95cdcdb18db623609b07c81a4231b41a965bea7b05acd8ecd3303bbe0c59466581b1
-
SSDEEP
12288:3nYQxCxRUC/BfScmGRvlwO3hoATj0wxOoWKxmxrjY+2:XCxRhScxX3hlTjvBxmxjY+2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2752 s1171.exe -
Loads dropped DLL 4 IoCs
pid Process 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 2752 s1171.exe 2752 s1171.exe 2752 s1171.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2752 s1171.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2752 s1171.exe 2752 s1171.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2752 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2752 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2752 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2752 2188 03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\n1171\s1171.exe"C:\Users\Admin\AppData\Local\Temp\n1171\s1171.exe" 0d56c9394ee00039628665f0OSGuLWD1LE4i3EZHqvMaSDY6HnQgZ62L+3kPfDGWR3T1qJbUWY9DA7LW8q+gELYobWEUsVdHqCvqfPFOZGRkq5mb+JCQbe40O1PiSZ3tgBdXMFVmI/OsjmpVz7S2Uw8mPPCdEIW5ds/Z+Q7hv13zehBFrgtcLVW/2Rm9GwadxA== /v "C:\Users\Admin\AppData\Local\Temp\03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
350KB
MD56846ddbdd21776eff7d444531456b731
SHA17a4dc3057caf1127b1d96641c77513d08c7e59ce
SHA2564620731e1e1e335a200b6d4486b9c38b6c6de2560a6728cbcb370d2f91cfa5a8
SHA512c206026986552c29cd30d04d1aad03a9b9d9e2cc1951aba247ec3c0f12b730e8cb734a5f709e501b8347374343a6cd0908de50a8978a91c67dae54316395c4df