Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 22:26
Static task
static1
Behavioral task
behavioral1
Sample
73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
73724d3a89e86bd39f6085b09651156d
-
SHA1
c4772a34bbd4616f57938d6dffed893fda31132f
-
SHA256
41088ef88942366234d3df66d21a16c337922e10f5e5b6103a77d8a0609d86d6
-
SHA512
4f8903ad2667518abdab658a93a99aab3056bf0f57d1eca4364c7a4706e3cfd6c02af7890ddde0d9adfb0015fc5c506d82ae5b8241257770652d1e70ca2b56da
-
SSDEEP
24576:R7oHpP4V1lY9bh4H5Cj7Hj/LsFxNsLrIi8m5Sau4HlofIRfg0k:R7861iU5C/jIEB8wSelRfzk
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2248 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2704 2248 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2248 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2704 2248 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2704 2248 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2704 2248 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe 28 PID 2248 wrote to memory of 2704 2248 73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 9402⤵
- Program crash
PID:2704
-