111d372ee1fbc5d1b6b43467954cbb30f06e042d00808778aca8ca61e16ac172

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe
Size

394KB
MD5

0570bc2701b9476147a23df169de06a1
SHA1

3f62793a1cef18b670ee9d85c92b7f5e2789b82a
SHA256

111d372ee1fbc5d1b6b43467954cbb30f06e042d00808778aca8ca61e16ac172
SHA512

b5dc2d872302670c140b3c4e94ade78dd8d860d6ff23297fe16754a3229072d456f0472e838094be893fa198f7d32fafd58a72a96108d8d55de04c9e43ce9c14
SSDEEP

12288:EqXPvRxTcOonD0kV3kEhKizNYErP5Iu0nm:E4n/DsDndKcNYEFpkm

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MRP1249.tmp

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\Xen MRP1249.tmp
Executes dropped EXE 1 IoCs

Processes:

MRP1249.tmp

pid process

2936 MRP1249.tmp
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MRP1249.tmp

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine MRP1249.tmp
Loads dropped DLL 2 IoCs

Processes:

0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe

pid process

1888 0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe
1888 0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

MRP1249.tmp

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN MRP1249.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\Xen	MRP1249.tmp

pid	process
2936	MRP1249.tmp

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	MRP1249.tmp

pid	process
1888	0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe
1888	0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	MRP1249.tmp

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

MRP1249.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	MRP1249.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	MRP1249.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MRP1249.tmp

pid process

2936 MRP1249.tmp
2936 MRP1249.tmp
2936 MRP1249.tmp
2936 MRP1249.tmp

pid	process
2936	MRP1249.tmp
2936	MRP1249.tmp
2936	MRP1249.tmp
2936	MRP1249.tmp

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe

description	pid	process	target process
PID 1888 wrote to memory of 2936	1888	0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe	MRP1249.tmp
PID 1888 wrote to memory of 2936	1888	0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe	MRP1249.tmp
PID 1888 wrote to memory of 2936	1888	0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe	MRP1249.tmp
PID 1888 wrote to memory of 2936	1888	0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe	MRP1249.tmp

C:\Users\Admin\AppData\Local\Temp\0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0570bc2701b9476147a23df169de06a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\MRP1249.tmp
"C:\Users\Admin\AppData\Local\Temp\MRP1249.tmp" -morpheus
2⤵
- Identifies Xen via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks for VirtualBox DLLs, possible anti-VM trick
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MRP1249.tmp
Filesize
337KB

MD5
cf00eb23e15c701ba8f5e132c3e1d403

SHA1
55ee45f4f7028ff09da4bb3e108078667c585cd6

SHA256
b2da1b098225c078456d611d4a570baaf670dc3eebf6d02b5934e4f6e3027b06

SHA512
964ed582b7cd802709984e92054dcd2f34e5dbd9310d95c7f27af3fe144aaf8b654e2b5a67b7fa0efaec0b19abab8ccc8116c94a3e870138eeb4f03c2fa45194

Download Submit