Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 22:26

General

  • Target

    73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    73724d3a89e86bd39f6085b09651156d

  • SHA1

    c4772a34bbd4616f57938d6dffed893fda31132f

  • SHA256

    41088ef88942366234d3df66d21a16c337922e10f5e5b6103a77d8a0609d86d6

  • SHA512

    4f8903ad2667518abdab658a93a99aab3056bf0f57d1eca4364c7a4706e3cfd6c02af7890ddde0d9adfb0015fc5c506d82ae5b8241257770652d1e70ca2b56da

  • SSDEEP

    24576:R7oHpP4V1lY9bh4H5Cj7Hj/LsFxNsLrIi8m5Sau4HlofIRfg0k:R7861iU5C/jIEB8wSelRfzk

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 940
      2⤵
      • Program crash
      PID:2704

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2248-0-0x00000000007F0000-0x0000000000B38000-memory.dmp

          Filesize

          3.3MB

        • memory/2248-1-0x0000000077930000-0x0000000077932000-memory.dmp

          Filesize

          8KB

        • memory/2248-2-0x00000000007F1000-0x00000000007FC000-memory.dmp

          Filesize

          44KB

        • memory/2248-3-0x00000000007F0000-0x0000000000B38000-memory.dmp

          Filesize

          3.3MB

        • memory/2248-4-0x00000000007F0000-0x0000000000B38000-memory.dmp

          Filesize

          3.3MB