Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 03:54
Static task
static1
Behavioral task
behavioral1
Sample
1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe
-
Size
236KB
-
MD5
1f5cc0934c69394573e34be53dc41e54
-
SHA1
55947f243c826706cfe27470530e555190911711
-
SHA256
9e7580489a6e346a26ac16c42a33e1857d67801bcc4191c1303d158e52c931ae
-
SHA512
22b09cab12c4e08549be486a0ba7e22f914d33da3a2188d256d990d2f2da74c4be71710c87d0310bb9869493655d1e14b676fdf6c03a3023414496ae13382771
-
SSDEEP
3072:VHZ/peTSk1rr7XcoZrBx8IlRdtF7zYLt52RlfZoqFa52QDL3ZJ6bLiD659qkg+:VHZRe7rPXfZ/fMLb2J6DLpJ6m
Malware Config
Extracted
gootkit
9
shoblya.org
shoblya.com
shoblyar.org
shblyar1.org
-
vendor_id
9
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mstsc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 mstsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mstsc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97 PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97 PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97 PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97 PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97 PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97 PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97 PID 1192 wrote to memory of 3976 1192 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe"2⤵
- Checks BIOS information in registry
- Checks processor information in registry
PID:3976
-