6b9819a15b779ab3ab18a68bb9ffc414f15b47696f8fb4138fd397cc745255cc

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 05:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe
Size

289KB
MD5

288213cc5c586faec5b2d883b7b12b1d
SHA1

8b7ea213852cae78db87805fda423fdfa85bfd21
SHA256

6b9819a15b779ab3ab18a68bb9ffc414f15b47696f8fb4138fd397cc745255cc
SHA512

1ffdbb961c862655b120c95af05e595ba9586f6a31d0e5632ff835e99de8e15dd6fbec9ea43fb7c923d7feb2b7938caee074801afcb76857508e209bd21a1869
SSDEEP

3072:Q6KrePVti2gCnjHCtTETGbgn6qZ7QW77NyEob5XiMjvIeLOjr10hti/PCGj+M76C:iaYnuNGxlg7Nw5XiQvb4cYX0MZ

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1696	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1696	1716	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe	28
PID 1716 wrote to memory of 1696	1716	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe	28
PID 1716 wrote to memory of 1696	1716	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe	28
PID 1716 wrote to memory of 1696	1716	288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\288213cc5c586faec5b2d883b7b12b1d_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\updacb84f9d.bat"
  2⤵
  - Deletes itself
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updacb84f9d.bat

Filesize
277B

MD5
d269c01aab6b223928b874eeddee15a1

SHA1
bef625bb64e0bded458b6224d01d828e6f257555

SHA256
393dcc80648c88235d86c4363f52fcb8bfd63784ed1fda90f2ab46c8d854062f

SHA512
8c093d38694512e67c8fa13f9d091582c60257033865867971704f7c4990210a5b622f13f842db815b2d09c6abc812722d6a4dd717141322b77ee8ad67d0445d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads