Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 07:12
Static task
static1
Behavioral task
behavioral1
Sample
3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe
-
Size
531KB
-
MD5
3e4d5844ed2fe4a71ea85a9f772a9bfc
-
SHA1
3d4a45390acaf7956382f18c3b62722af53fc53b
-
SHA256
24a6fadc4b8228372277831b6f805358b5d046a9e54337d1fd092627b020296b
-
SHA512
a93d4482e4c432755f7e23cc9f071835f81dbf6d487eaf04ad57acfbc50ae01bf0887c166451c682eff362c514fdac0ac40ada77a9d8a49a1ed4bad50c0c29c6
-
SSDEEP
12288:q5iZvUxxc36rURUMK6jXc8RWi2TR7rGOjt9RRg/5Lb2M3njAdc:q0vUxxEiMdjXBR8R7COZ9RRg5njAK
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2128 s1707.exe -
Loads dropped DLL 4 IoCs
pid Process 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 2128 s1707.exe 2128 s1707.exe 2128 s1707.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2128 s1707.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2128 s1707.exe 2128 s1707.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2128 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 28 PID 1848 wrote to memory of 2128 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 28 PID 1848 wrote to memory of 2128 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 28 PID 1848 wrote to memory of 2128 1848 3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\n1707\s1707.exe"C:\Users\Admin\AppData\Local\Temp\n1707\s1707.exe" 355a6bd03eac48f65e53d0c4xnsCplSZbfLjhmznbWVw2Bsjq6sjj1gNqtk+jS7ewRAgHotvB0V9RAEWrxSZ1EGfirioPQw9p1ff0RZ/F6C6me9ocHIueicHd/XzqTYUNCPO/IF9fexMZ4hXirflJ5GHILvt6D+F8bcoZSP+HszFCTI= /v "C:\Users\Admin\AppData\Local\Temp\3e4d5844ed2fe4a71ea85a9f772a9bfc_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5c6ba63935a7e1760770e8c56e2bd10f0
SHA13122694b0dd726dca2ccf91abce28e42b77d24cb
SHA256da687f6e0ac00d241fef42fac56f48a530aa4b7fa62a16f3cd394306706fea03
SHA51204d5932dedf27e6a88dd91c85ee6c98dff9f6bc35a087adfcb135883ea34f901758f0a682d33217c9514e2bb0c99a78bd7e67645d1620f9e8f29fd14017425b1
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
219KB
MD57102142ea8fd1e51646947341502307a
SHA1d334d9be108bae81d8cd0eaca4b3208c303aa931
SHA2564a2aa0f09b9942ec43d71ae00e3ac4153a737acbd4c904c24688ed47b0943638
SHA5128eb30b6a106703a05ce9e280f8044a6ca7dac2c6657e7ffe8ada79b4ef2a5381dd481a153d285cfb8aacb1550e71392a86a15ca0127d8dfa89457af931c971e8