118a38d94d2b365e5fd01964854c6c1df5ea1a9c1a99c56941da6851428828fd

General

Target

694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe
Size

671KB
MD5

694553aaa3a0c96ffa4892293a11a467
SHA1

3b41d88189b1c40b3ac786d1747b8715e4530922
SHA256

118a38d94d2b365e5fd01964854c6c1df5ea1a9c1a99c56941da6851428828fd
SHA512

c56c123b71977e89f29dc4fa93747edb90b93542af062b39532b4c9e39308dde74777e3d1fe683bc755247a841bbf8e8f7f40e70122c15c3e04f40e951e1a755
SSDEEP

12288:7d1WzJW0mYgmbxI4B+2pwP0RXvCt3CqXcu0KhTo0W9ChRyii9RqwH6W:B1WzUYgwJM2pwc+CqXcbKhUHCHi/jH6W

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

s2007.exe

pid process

3216 s2007.exe
Drops desktop.ini file(s) 2 IoCs

Processes:

s2007.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini s2007.exe
File opened for modification C:\Windows\assembly\Desktop.ini s2007.exe

pid	process
3216	s2007.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	s2007.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s2007.exe

Drops file in Windows directory 3 IoCs

Processes:

s2007.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	s2007.exe
File created	C:\Windows\assembly\Desktop.ini	s2007.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s2007.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

s2007.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	s2007.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s2007.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s2007.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exes2007.exe

pid	process
4140	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe
4140	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe
3216	s2007.exe
3216	s2007.exe
3216	s2007.exe
3216	s2007.exe
3216	s2007.exe
3216	s2007.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s2007.exe

description pid process

Token: SeDebugPrivilege 3216 s2007.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

s2007.exe

pid process

3216 s2007.exe
3216 s2007.exe

description	pid	process
Token: SeDebugPrivilege	3216	s2007.exe

pid	process
3216	s2007.exe
3216	s2007.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe

description	pid	process	target process
PID 4140 wrote to memory of 3216	4140	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe	s2007.exe
PID 4140 wrote to memory of 3216	4140	694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe	s2007.exe

C:\Users\Admin\AppData\Local\Temp\694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140

C:\Users\Admin\AppData\Local\Temp\n2007\s2007.exe
"C:\Users\Admin\AppData\Local\Temp\n2007\s2007.exe" d2320bdfd2fe2805dd9a9a3bUL40KJSYF9Y6Xp6mC06Y4leQGvvRF6kSxeVZf7RP0+DcLErvuKv+pWE9idtePc4rweA1X9LkVaJ2HUqoli1MmMa1FTPO2AlJ856H+i8s+3z6FNRKoF/YjMui/vGEgchfYeG+QJMNQWYtj6e+PDvXfxv0dcYS0SDRxOTWOqVmgSUtN51Ei1RhyhpHKePsZe/O2tFr920pKfvF5rY= /v "C:\Users\Admin\AppData\Local\Temp\694553aaa3a0c96ffa4892293a11a467_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n2007\s2007.exe

Filesize
350KB

MD5
4316f8dd279ce879833a07ee5083979e

SHA1
4977e56fd1ae2cbec43e715ff29890be8a415ddb

SHA256
72adc6a10a81e294ee987eb1dcd9fbe206d77c103ee517dfce00493b38162a63

SHA512
dd40d9c2ccc7a4c77617a5e0976a442cb4480ca0898c81463812466785b81ac1ccd918f107278259a4a515cdf881d35a7d5359d1678791343319ae9841349646

Download Submit
memory/3216-12-0x00007FFC4ED55000-0x00007FFC4ED56000-memory.dmp

Filesize
4KB

Download
memory/3216-13-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-27-0x000000001BB00000-0x000000001BB10000-memory.dmp

Filesize
64KB

Download
memory/3216-30-0x000000001C310000-0x000000001C7DE000-memory.dmp

Filesize
4.8MB

Download
memory/3216-31-0x000000001C7E0000-0x000000001C87C000-memory.dmp

Filesize
624KB

Download
memory/3216-32-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-33-0x000000001C990000-0x000000001C9F2000-memory.dmp

Filesize
392KB

Download
memory/3216-34-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-35-0x00007FFC4ED55000-0x00007FFC4ED56000-memory.dmp

Filesize
4KB

Download
memory/3216-36-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-37-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-38-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/3216-39-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-40-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-41-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-42-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-43-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-44-0x0000000020210000-0x000000002034C000-memory.dmp

Filesize
1.2MB

Download
memory/3216-45-0x0000000020860000-0x0000000020D6E000-memory.dmp

Filesize
5.1MB

Download
memory/3216-46-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-47-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-48-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-49-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download
memory/3216-51-0x00007FFC4EAA0000-0x00007FFC4F441000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads