1e65a4645d991110ebc203ee4c1b72b7fcec8918949dc58432738e3d096a0cf2

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
Size

538KB
MD5

638ece7c6971008a07ebe276cb5332fb
SHA1

fafe9f28d99e982c01d53b25511e300c095c3dc2
SHA256

1e65a4645d991110ebc203ee4c1b72b7fcec8918949dc58432738e3d096a0cf2
SHA512

b152a6a66776a59f720a71f47394b7e60089d2d2b392279e7ec4a0ef8ebea8534995556109500d95b7816286565b28f009b5c8c475041fc6cde4a8ca8a7bffa0
SSDEEP

12288:6Yhcq8xzZTkQ4DDfO+lDp5QBooT3oDznHbUl0il67L5:BhcTZTaDfXNQCrPbGa/5

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

s814.exe

pid process

896 s814.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe

pid	process
896	s814.exe

Loads dropped DLL 4 IoCs

Processes:

638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe

pid	process
2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exes814.exe

pid process

2956 638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
896 s814.exe
896 s814.exe
896 s814.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s814.exe

description pid process

Token: SeDebugPrivilege 896 s814.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

s814.exe

pid process

896 s814.exe
896 s814.exe

description	pid	process
Token: SeDebugPrivilege	896	s814.exe

pid	process
896	s814.exe
896	s814.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe

description	pid	process	target process
PID 2956 wrote to memory of 896	2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe	s814.exe
PID 2956 wrote to memory of 896	2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe	s814.exe
PID 2956 wrote to memory of 896	2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe	s814.exe
PID 2956 wrote to memory of 896	2956	638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe	s814.exe

C:\Users\Admin\AppData\Local\Temp\638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\n814\s814.exe
  "C:\Users\Admin\AppData\Local\Temp\n814\s814.exe" ins.exe /h b13bde.api.socdn.com /e 12909206 /u 14d093df-b990-11e3-8a58-80c16e6f498c /v "C:\Users\Admin\AppData\Local\Temp\638ece7c6971008a07ebe276cb5332fb_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\n814\s814.exe

Filesize
343KB

MD5
902701a61af886f3eeb1e6654f1b22b8

SHA1
e259ed942458578fb894addc655565fb665bc534

SHA256
d2141dda259b880e2b2484614f42cf1e29bbb04aa33729d374b804ea0d405d00

SHA512
ad1115168a6d2df9f5c0ea6633264085204fa63daa617b3e802c11ba82b65eb3f215953118fd37a3b7ae0d8be609948bd98800b2570c8f77505ac147182ec7e3

Download Submit
memory/896-17-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

Filesize
4KB

Download
memory/896-18-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/896-34-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/896-35-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download