Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 16:04
Static task
static1
Behavioral task
behavioral1
Sample
5598027d46551abb118ee343baaa530d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5598027d46551abb118ee343baaa530d_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5598027d46551abb118ee343baaa530d_JaffaCakes118.exe
-
Size
2.9MB
-
MD5
5598027d46551abb118ee343baaa530d
-
SHA1
16907ea747cbaaae64b83b95566e0aba6a022a2c
-
SHA256
ab33dd2fe5e133ea982810c86ac78f41572e632a037536e3e908f1cea2483223
-
SHA512
8ba9536a4556ad0aa95cef9a0b5e26d729cdb9e0f03aed5d721358b650e6be0764217d348e4d353276ccfc39e43a0c16d51cd6d7166034f9bb31c6a479880c84
-
SSDEEP
49152:SRegR/NMCAlS3pcg1JEqm903QM0RbLW3uT3oyRISIsJ0O1jpfivAKsmqqV:PW19cG6RXku7oHSzSO11ame
Malware Config
Extracted
fickerstealer
45.67.231.4:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5598027d46551abb118ee343baaa530d_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5598027d46551abb118ee343baaa530d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5598027d46551abb118ee343baaa530d_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine 5598027d46551abb118ee343baaa530d_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1368 5598027d46551abb118ee343baaa530d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1368 5598027d46551abb118ee343baaa530d_JaffaCakes118.exe 1368 5598027d46551abb118ee343baaa530d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5598027d46551abb118ee343baaa530d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5598027d46551abb118ee343baaa530d_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14B
MD51207bc197a1ebd72a77f1a771cad9e52
SHA18ed121ff66d407150d7390b9276fe690dd213b27
SHA256260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476
SHA512d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4