afd362ba35b8a9866adeac14236015416c7e87cd713bfa0bf9b82392e49e3e29

General

Target

65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
Size

7.7MB
MD5

65e165d12355c000afa0d8e76cf82d6f
SHA1

729b37eb3fad99f462fae08226e7bda3c45a98ee
SHA256

afd362ba35b8a9866adeac14236015416c7e87cd713bfa0bf9b82392e49e3e29
SHA512

25893609410699ee86fb87fc3ef9cb0961a2fa9b2829768563d188264423402abc495ce0e62348a4a25f406faf10b0212fc3a3376c25a9d21cfc75d936b6b16d
SSDEEP

196608:VrsQU0PaMvb2Rc56Y7+T9NGqhOwIudYGs:dsQU0PfvbwU6dbAuG

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

Processes:

65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

pid	process
464	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
464	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
464	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

pid process

464 65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4128 464 WerFault.exe 65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

pid	pid_target	process	target process
4128	464	WerFault.exe	65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65e165d12355c000afa0d8e76cf82d6f_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1280
2⤵
- Program crash
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 464 -ip 464
1⤵
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3c1115d470574142be723df19173df0f\DiagCode.dll
Filesize
78KB

MD5
79a02ba612f40388cdd1fff88089c922

SHA1
a786ba0669458dc0542fc9b93f09b4bcbf85d045

SHA256
43c0b420e78e01fa576b5209794be289f895cc7050206129dd653697c826a76e

SHA512
087b05f73e40b19386cc559bd3a86c6b0e0c73d1efbc1199ef6c1095a4180f0cc8fa3161279876f8588d6ab2b270b6aebe58751e8554fc5083817c98dbafb900

Download Submit
C:\Users\Admin\AppData\Local\Temp\65f095ba7310473baabe589bed18ec8d\FTChipID.dll
Filesize
60KB

MD5
db2e9f3c2f704cd41bdbfcfb47b81108

SHA1
49e9192aefee6080c3795a8df592425e6351f56c

SHA256
d63d9ec2f0557184aba3d4156d755767cd234fc4b108f4209abbf28c064936c6

SHA512
203df4ab2c065923f6ae3f101d8046f300506e77c74a4864eaceca47e427928ab31da37374794efd24b475e8cca4abba8baed768860715076f2a708c2c7c9493

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe5907293ebf46dba7c0396b91f9497e\sense4.dll
Filesize
152KB

MD5
2cc4f1fa5b4a50a0fadc732678db94dc

SHA1
696f39720b09d030403f751cd6f3de3fdd7df29a

SHA256
5be725eace8521c03b2167c4a27ae78cec9b838478bc4342e90afc47be3c6876

SHA512
57fbbdd8c282ce396af5db58669d6bb2e5d5e0313175f1dd4441cc82d0a194e2564db3a8eb44b50abc54f1e221daa9826e77d22ae16ae1b56279f44eac907b34

Download Submit
memory/464-6-0x0000000075550000-0x0000000075640000-memory.dmp

Filesize
960KB

Download
memory/464-31-0x0000000007E00000-0x0000000007E28000-memory.dmp

Filesize
160KB

Download
memory/464-5-0x0000000075550000-0x0000000075640000-memory.dmp

Filesize
960KB

Download
memory/464-0-0x0000000000BD0000-0x0000000001A9C000-memory.dmp

Filesize
14.8MB

Download
memory/464-7-0x0000000075550000-0x0000000075640000-memory.dmp

Filesize
960KB

Download
memory/464-12-0x0000000000BD0000-0x0000000001A9C000-memory.dmp

Filesize
14.8MB

Download
memory/464-13-0x0000000000BD0000-0x0000000001A9C000-memory.dmp

Filesize
14.8MB

Download
memory/464-3-0x0000000075550000-0x0000000075640000-memory.dmp

Filesize
960KB

Download
memory/464-1-0x0000000075570000-0x0000000075571000-memory.dmp

Filesize
4KB

Download
memory/464-2-0x0000000075550000-0x0000000075640000-memory.dmp

Filesize
960KB

Download
memory/464-30-0x0000000005CB0000-0x0000000005CBC000-memory.dmp

Filesize
48KB

Download
memory/464-4-0x0000000075550000-0x0000000075640000-memory.dmp

Filesize
960KB

Download
memory/464-32-0x0000000007E30000-0x0000000007E46000-memory.dmp

Filesize
88KB

Download
memory/464-33-0x0000000008140000-0x000000000820E000-memory.dmp

Filesize
824KB

Download
memory/464-34-0x0000000008210000-0x000000000855A000-memory.dmp

Filesize
3.3MB

Download
memory/464-35-0x0000000008950000-0x0000000008996000-memory.dmp

Filesize
280KB

Download
memory/464-36-0x00000000089C0000-0x00000000089C8000-memory.dmp

Filesize
32KB

Download
memory/464-37-0x0000000008A90000-0x0000000008B4A000-memory.dmp

Filesize
744KB

Download
memory/464-38-0x00000000089F0000-0x00000000089F8000-memory.dmp

Filesize
32KB

Download
memory/464-40-0x0000000075550000-0x0000000075640000-memory.dmp

Filesize
960KB

Download
memory/464-41-0x0000000000BD0000-0x0000000001A9C000-memory.dmp

Filesize
14.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads