24e5a2fa07ca3fbe7310466578e2b833274f894483ea3faeb489a4b3805c229b

General

Target

348012a78b3b886c5704752c78d25878_JaffaCakes118.exe
Size

678KB
MD5

348012a78b3b886c5704752c78d25878
SHA1

852c800f2f5dafa964075b2fd1266dd5215c05b0
SHA256

24e5a2fa07ca3fbe7310466578e2b833274f894483ea3faeb489a4b3805c229b
SHA512

8caf93117c991177903b527cf262ee083574efefe85e5e93e8012aacfd106cbb9fedadc3c65b0ecca705d4f4f1470757c3a54a2826ef2eefe553a46aaccb1790
SSDEEP

12288:ZyE2QYrOLw9saOiCXcU/OQOCeDHg23sMhEJZT1aRYNg+61:cE2QYrr6iwcWOQOfLg6sMCDT1a2a+61

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	s6472.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	s6472.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s6472.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	s6472.exe
File created	C:\Windows\assembly\Desktop.ini	s6472.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s6472.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	s6472.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	s6472.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	s6472.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1048	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe
1048	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe
2244	s6472.exe
2244	s6472.exe
2244	s6472.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	s6472.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	s6472.exe
2244	s6472.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2244	1048	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe	80
PID 1048 wrote to memory of 2244	1048	348012a78b3b886c5704752c78d25878_JaffaCakes118.exe	80

C:\Users\Admin\AppData\Local\Temp\348012a78b3b886c5704752c78d25878_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\348012a78b3b886c5704752c78d25878_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\n6472\s6472.exe
  "C:\Users\Admin\AppData\Local\Temp\n6472\s6472.exe" 421b5be21bea572ae6236d79II+0SKeJDh2WlFMISaFue19v6yUsvDJ2jKST2NnyRd+DAEeWCqt32LpYwEcZn17lxEqZII6/rvmEPVpGG+auWtIJPmPaC/loVfm3ur2C+Ohr2s8q5SeZQHc+z/0wal9KrLVZ2tNpgctKsls9nL+jSfFufztHibX4nLat4IFeVw== /v "C:\Users\Admin\AppData\Local\Temp\348012a78b3b886c5704752c78d25878_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n6472\s6472.exe

Filesize
350KB

MD5
da834fff62c4d3e86baa52714cf2d635

SHA1
4b35992bbd61e75791ec55bf3b47921be26b3031

SHA256
6079e9ad58853c80733363903df046a8008bc8b972b1c52c7eff99b5ed6ad681

SHA512
1227d5300237915a4382576fb19bc9ceb304a7ab8455d850154e6b7b8a92356a107a39180f866ad617da9a90745224ae6a8d1f602992c59353d2ad2c267c6526

Download Submit
memory/2244-12-0x00007FFC405A5000-0x00007FFC405A6000-memory.dmp

Filesize
4KB

Download
memory/2244-13-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-22-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/2244-25-0x000000001C740000-0x000000001CC0E000-memory.dmp

Filesize
4.8MB

Download
memory/2244-26-0x000000001CCB0000-0x000000001CD4C000-memory.dmp

Filesize
624KB

Download
memory/2244-27-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-28-0x000000001D0A0000-0x000000001D102000-memory.dmp

Filesize
392KB

Download
memory/2244-29-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-30-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-31-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

Filesize
32KB

Download
memory/2244-32-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-33-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-34-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-35-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-36-0x00000000207D0000-0x000000002090C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-37-0x0000000020E20000-0x000000002132E000-memory.dmp

Filesize
5.1MB

Download
memory/2244-38-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-39-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-40-0x00007FFC405A5000-0x00007FFC405A6000-memory.dmp

Filesize
4KB

Download
memory/2244-41-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-42-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download
memory/2244-44-0x00007FFC402F0000-0x00007FFC40C91000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads