b32a1cc7bf5666616499860b1c75db6a19fbd31dad2be7ef5f13720dec6939af

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe
Size

3.1MB
MD5

2a6c125d7ddbdf876a132dad12f33d34
SHA1

961dae6d9cac36b3cb7a2ef1f63792af56b4c1d9
SHA256

b32a1cc7bf5666616499860b1c75db6a19fbd31dad2be7ef5f13720dec6939af
SHA512

fa3f90ae6d922dec6c1cf2c60efeca7bf189e0f901dc893539c45e6ea35f94b30e835db748c3b48d31ed452628ccc7319ca92341aa7c8f3ced56f8be9dc6e506
SSDEEP

49152:AUfYxziGK24+ZnH/XGiLVDd2Md9UySlEO+lFBe/kEcbycuhAOOdudfV6wetNcLlV:A+YxGJWH/XNHd2KRqkPycu1Oafr+er

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsSystem.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsSystem.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsSystem.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4812	attrib.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Recovery.lnk	update.exe

Executes dropped EXE 4 IoCs

pid	Process
1696	update.exe
1068	WindowsSystem.exe
3356	WindowsSystem.exe
2732	WindowsSystem.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	WindowsSystem.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	WindowsSystem.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	WindowsSystem.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1696	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2232	schtasks.exe
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe
1696	update.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1696	1080	2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe	84
PID 1080 wrote to memory of 1696	1080	2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe	84
PID 1080 wrote to memory of 1696	1080	2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe	84
PID 1696 wrote to memory of 4812	1696	update.exe	89
PID 1696 wrote to memory of 4812	1696	update.exe	89
PID 1696 wrote to memory of 4812	1696	update.exe	89
PID 1696 wrote to memory of 1296	1696	update.exe	90
PID 1696 wrote to memory of 1296	1696	update.exe	90
PID 1696 wrote to memory of 1296	1696	update.exe	90
PID 1696 wrote to memory of 2232	1696	update.exe	91
PID 1696 wrote to memory of 2232	1696	update.exe	91
PID 1696 wrote to memory of 2232	1696	update.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a6c125d7ddbdf876a132dad12f33d34_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1080
- C:\ProgramData\Adobe\Update\update.exe
  "C:\ProgramData\Adobe\Update\update.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\ProgramData\WindowsSystem.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4812
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \Windows\RecoveryProgram /tr "C:\ProgramData\WindowsSystem.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:1296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \Windows\WindowsRun /tr "C:\ProgramData\WindowsSystem.exe" /st 00:00 /sc once /du 9999:59 /ri 50 /f
    3⤵
    - Creates scheduled task(s)
    PID:2232

C:\ProgramData\WindowsSystem.exe
C:\ProgramData\WindowsSystem.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1068

C:\ProgramData\WindowsSystem.exe
C:\ProgramData\WindowsSystem.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3356

C:\ProgramData\WindowsSystem.exe
C:\ProgramData\WindowsSystem.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Update\update.exe

Filesize
3.2MB

MD5
d3c9641a71a67675dd06cf2379a274f4

SHA1
ba1300928afed6454ad49aac0c42e09ff2363717

SHA256
974211f8998573e6b221640dc2700c28b59744d9a1147182e7923fb6bf5f89c1

SHA512
f9bc8765e9df699362bb18dbbb02112b6f8486e9befb7bfdfec0a1dd5f5dcb027cc55e86382189bb397689d565054d145ad449360047ecf010a9661511d1f6b0

Download Submit
memory/1068-19-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download
memory/1068-20-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download
memory/1696-12-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download
memory/1696-13-0x0000000077CF4000-0x0000000077CF6000-memory.dmp

Filesize
8KB

Download
memory/1696-14-0x0000000000431000-0x000000000045E000-memory.dmp

Filesize
180KB

Download
memory/1696-16-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download
memory/2732-37-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download
memory/2732-38-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download
memory/3356-28-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download
memory/3356-29-0x0000000000430000-0x0000000000C83000-memory.dmp

Filesize
8.3MB

Download