Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
21-05-2024 10:53
General
-
Target
630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
630ab459be2675ab53b9a3e4eeba9110
-
SHA1
77f8b36c24cd0de2dcfe86b96e403bfad9d91112
-
SHA256
a5a60f5bef193b80117238e77eb20fccf1c72809dbf5af44bc588ab591b41c61
-
SHA512
33dce0472a05889df913693b80d4002a7dfab036f0201fa38d011cb7d9406146d6f34525023ed24131efa2ad754fad8715eec6359fe47350d1ffb45ca03525ff
-
SSDEEP
24576:DMy8p4zRy+JVnFog4DMut/u5V43Z1RcMzBPjcqIN/XlMMl/2hsXEjCuokNUxj+w:DMy8WlyoflsMsmjQZ1RcMzBLcqIBu+G2
Malware Config
Extracted
buer
http://loaadik01.pro/
http://loaadik02.pro/
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
Buer Loader 19 IoCs
Detects Buer loader in memory or disk.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exeC:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe" ensgJJ2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1364⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exeFilesize
1.5MB
MD5630ab459be2675ab53b9a3e4eeba9110
SHA177f8b36c24cd0de2dcfe86b96e403bfad9d91112
SHA256a5a60f5bef193b80117238e77eb20fccf1c72809dbf5af44bc588ab591b41c61
SHA51233dce0472a05889df913693b80d4002a7dfab036f0201fa38d011cb7d9406146d6f34525023ed24131efa2ad754fad8715eec6359fe47350d1ffb45ca03525ff
-
memory/1652-28-0x00000000001A0000-0x0000000000581000-memory.dmpFilesize
3.9MB
-
memory/1652-29-0x00000000001A0000-0x0000000000581000-memory.dmpFilesize
3.9MB
-
memory/1652-30-0x00000000001A0000-0x0000000000581000-memory.dmpFilesize
3.9MB
-
memory/1652-31-0x00000000001A0000-0x0000000000581000-memory.dmpFilesize
3.9MB
-
memory/1652-32-0x00000000001A0000-0x0000000000581000-memory.dmpFilesize
3.9MB
-
memory/1652-33-0x00000000001A0000-0x0000000000581000-memory.dmpFilesize
3.9MB
-
memory/1652-34-0x00000000001A0000-0x0000000000581000-memory.dmpFilesize
3.9MB
-
memory/1652-35-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1652-37-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1652-41-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1716-24-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-42-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-46-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-22-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-23-0x000000003F071000-0x000000003F075000-memory.dmpFilesize
16KB
-
memory/1716-45-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-25-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-26-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-44-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-40-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/1716-43-0x000000003F070000-0x000000003F451000-memory.dmpFilesize
3.9MB
-
memory/2088-8-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-7-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-5-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-6-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-4-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-3-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-2-0x000000003FC21000-0x000000003FC25000-memory.dmpFilesize
16KB
-
memory/2088-1-0x00000000779C0000-0x00000000779C2000-memory.dmpFilesize
8KB
-
memory/2088-12-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-10-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-11-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-0-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB
-
memory/2088-20-0x000000003FC20000-0x0000000040001000-memory.dmpFilesize
3.9MB