97c1579679535e7a709475d4dc3b6e5154b5ea3e18f8a5b3379fc62930387290

General

Target

03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
Size

623KB
MD5

03f669513b56351a79abe8daa45ade86
SHA1

74ed9dfc5aa07d8b22452e455db15f4f1bfe3622
SHA256

97c1579679535e7a709475d4dc3b6e5154b5ea3e18f8a5b3379fc62930387290
SHA512

a3421ca5c8d5dd44ddb91375d199d5e7b7c9241e4269d7e90e5f9b19bf6b95cdcdb18db623609b07c81a4231b41a965bea7b05acd8ecd3303bbe0c59466581b1
SSDEEP

12288:3nYQxCxRUC/BfScmGRvlwO3hoATj0wxOoWKxmxrjY+2:XCxRhScxX3hlTjvBxmxjY+2

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	s1171.exe

Loads dropped DLL 4 IoCs

pid	Process
2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
2752	s1171.exe
2752	s1171.exe
2752	s1171.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	s1171.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	s1171.exe
2752	s1171.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2752	2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2752	2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2752	2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2752	2188	03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\n1171\s1171.exe
  "C:\Users\Admin\AppData\Local\Temp\n1171\s1171.exe" 0d56c9394ee00039628665f0OSGuLWD1LE4i3EZHqvMaSDY6HnQgZ62L+3kPfDGWR3T1qJbUWY9DA7LW8q+gELYobWEUsVdHqCvqfPFOZGRkq5mb+JCQbe40O1PiSZ3tgBdXMFVmI/OsjmpVz7S2Uw8mPPCdEIW5ds/Z+Q7hv13zehBFrgtcLVW/2Rm9GwadxA== /v "C:\Users\Admin\AppData\Local\Temp\03f669513b56351a79abe8daa45ade86_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6634.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E66.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\n1171\s1171.exe

Filesize
350KB

MD5
6846ddbdd21776eff7d444531456b731

SHA1
7a4dc3057caf1127b1d96641c77513d08c7e59ce

SHA256
4620731e1e1e335a200b6d4486b9c38b6c6de2560a6728cbcb370d2f91cfa5a8

SHA512
c206026986552c29cd30d04d1aad03a9b9d9e2cc1951aba247ec3c0f12b730e8cb734a5f709e501b8347374343a6cd0908de50a8978a91c67dae54316395c4df

Download Submit
memory/2752-15-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2752-16-0x00000000009B0000-0x0000000000A30000-memory.dmp

Filesize
512KB

Download
memory/2752-24-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2752-25-0x00000000009B0000-0x0000000000A30000-memory.dmp

Filesize
512KB

Download
memory/2752-61-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads