7f574eccc7ab5287fa1cb3c0e35fe819388a9a0f73bd2243f977d2f2175772e0

General

Target

4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Size

914KB
MD5

4c2bf873680a8b3a7683402c4e927454
SHA1

3c18a1acbc8be3de0caa9b6fa1025cf58f7b71c5
SHA256

7f574eccc7ab5287fa1cb3c0e35fe819388a9a0f73bd2243f977d2f2175772e0
SHA512

ffe25102078df09de4fce6feb84a5b927f8b172903a1f03f415b65927635a058acb312d73887ee1221f7e93848134518f5bd625dbcda8c469b782784b96f2e9e
SSDEEP

12288:IHw5jSoveo/+YqiMXIRfm5PgAoB4TqEmvyhhUvogdpMi74zxLqo7t:ow5tvMv0fmJuKOsUvoapkd+ox

Score

9^/10

evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeSecurityPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeBackupPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeRestorePrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeShutdownPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeDebugPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeUndockPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: 33	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: 34	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
Token: 35	1132	4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c2bf873680a8b3a7683402c4e927454_JaffaCakes118.exe"
1⤵
- Enumerates VirtualBox registry keys
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

Software Discovery

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-0-0x0000000002130000-0x000000000220E000-memory.dmp

Filesize
888KB

Download
memory/1132-2-0x0000000002130000-0x000000000220E000-memory.dmp

Filesize
888KB

Download
memory/1132-4-0x000000000043B000-0x000000000043C000-memory.dmp

Filesize
4KB

Download
memory/1132-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1132-1-0x0000000002130000-0x000000000220E000-memory.dmp

Filesize
888KB

Download
memory/1132-5-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1132-6-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1132-7-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1132-8-0x0000000002130000-0x000000000220E000-memory.dmp

Filesize
888KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads