e6fdea1f57c56b74ebcc5ead18ae5ca8ad657fbdc66001040cf1693008f40ab8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 21:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe
Size

1.4MB
MD5

5ba7fec1d9e3e2cce7400e0977e3f1b3
SHA1

3fc0194f5c0dc4aa9d0204670739c2668f1d893b
SHA256

e6fdea1f57c56b74ebcc5ead18ae5ca8ad657fbdc66001040cf1693008f40ab8
SHA512

9e6305c01d63a2ec4a0c4375276fbc624244f2b122d32335308ab1319177e3b51ef38096cbd2677777a045a4d205f378244c5e03c9a4061f873118bddc158c20
SSDEEP

24576:Vw7kl6//yr1XiZYfa61xmUmtE1oEmw5+40Cwzh92+K7jHxUuzXSAaEVjjHqe/3:+7kNr1mYCmxmltqmwokwz+7L7SAvJqef

Score

7^/10

evasion upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002296f-28.dat	acprotect
behavioral2/files/0x0009000000023375-38.dat	acprotect

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
2044	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe
4480	RunDll32.exe
2044	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2044-0-0x0000000000400000-0x0000000000726000-memory.dmp	upx
behavioral2/files/0x000600000002296f-28.dat	upx
behavioral2/memory/2044-32-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/4480-35-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/files/0x0009000000023375-38.dat	upx
behavioral2/memory/2044-42-0x0000000072EF0000-0x0000000072F3A000-memory.dmp	upx
behavioral2/memory/2044-44-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/4480-52-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/2044-53-0x0000000000400000-0x0000000000726000-memory.dmp	upx
behavioral2/memory/2044-58-0x0000000072EF0000-0x0000000072F3A000-memory.dmp	upx
behavioral2/memory/2044-69-0x0000000072EF0000-0x0000000072F3A000-memory.dmp	upx
behavioral2/memory/2044-77-0x0000000072EF0000-0x0000000072F3A000-memory.dmp	upx
behavioral2/memory/2044-76-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/4480-102-0x0000000073290000-0x000000007335C000-memory.dmp	upx
behavioral2/memory/4480-106-0x0000000073290000-0x000000007335C000-memory.dmp	upx

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\FalconBetaAccount	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\FalconBetaAccount\remote_access_client_id = "1684604208"	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe
4480	RunDll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2044	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4480	2044	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe	89
PID 2044 wrote to memory of 4480	2044	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe	89
PID 2044 wrote to memory of 4480	2044	5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ba7fec1d9e3e2cce7400e0977e3f1b3_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\utt3F1D.tmp",_OCPRD119RunOpenCandyDLL@16 2044
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADKAppsOfferManager.dll

Filesize
100KB

MD5
e91cd5bbcf94d8b3455254f7744f738c

SHA1
f20aa129b741bf3495f823d47a12bbe1d011acba

SHA256
5edb27f7e830c40bc0c02d1b3ea2933df286c570fa37821d0e5f3bfb4a292477

SHA512
af496b86c0b526190881b09020cd47b607e09d72743f72fe4f764829fadc658ebdce24f7c990aa2cc56fb2df038a125cfbc349957a33fa1fc08d177ba1991287

Download Submit
C:\Users\Admin\AppData\Local\Temp\utt34FA.tmp.new

Filesize
2KB

MD5
0c36af4ce7a720298efadde9c0c1ad49

SHA1
67f812112b8eaa99345243c1bc05c98a3f4d24b2

SHA256
4e8e317fc6a2f7ccf80428d9ebb30e4a801f7ff65f8351f50281a2d5f39665b8

SHA512
1b9df2af3e3f5cba5c9cb9d2d58b67ab12a266ce62b9072e5d86cd5f6d4d2a49c0872844dbe94875b986577abceca10e5296067c3afa58846b0fddb21b20423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\utt3F1D.tmp

Filesize
293KB

MD5
7a9bf84ae6f5793548177fb6998ce922

SHA1
52f3182e4cd4058d14afd9e40b14fed9d9b1494b

SHA256
6b85f7a8a87270292f546cd1de615e594a37e518c4d0d35d136a52a0cc934c80

SHA512
2e8bba02c58c39d08337c730afff85649a2f35d3cc68938456b8e4674a5aa6034fa056f847f18213716d9195526a4da8cc8af7ed7e022c581fc05963eb53a789

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\toolbar.benc.new

Filesize
36KB

MD5
8988ee3dfb26055bef4dea567b2376df

SHA1
4a1475ae436260f58107bfce9b8348f206edb5dc

SHA256
8bfba2ec04d5c7281a9180d66708975d313f492efdd240818becf5e25c5fad5d

SHA512
fa3e24cfd34085c2425b9d5b65cbf552b86ed0a08b1fad7a0622668b214ac24e7cde4ae00eca251551bb9b4b2c5ed2b13153a60425d3c6e8df57a6aa46d21e1d

Download Submit
memory/2044-58-0x0000000072EF0000-0x0000000072F3A000-memory.dmp

Filesize
296KB

Download
memory/2044-53-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/2044-76-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/2044-42-0x0000000072EF0000-0x0000000072F3A000-memory.dmp

Filesize
296KB

Download
memory/2044-44-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/2044-32-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/2044-77-0x0000000072EF0000-0x0000000072F3A000-memory.dmp

Filesize
296KB

Download
memory/2044-69-0x0000000072EF0000-0x0000000072F3A000-memory.dmp

Filesize
296KB

Download
memory/2044-0-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/4480-36-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4480-52-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/4480-35-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/4480-102-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download
memory/4480-106-0x0000000073290000-0x000000007335C000-memory.dmp

Filesize
816KB

Download