Analysis

  • max time kernel
    129s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:26

General

  • Target

    73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    73724d3a89e86bd39f6085b09651156d

  • SHA1

    c4772a34bbd4616f57938d6dffed893fda31132f

  • SHA256

    41088ef88942366234d3df66d21a16c337922e10f5e5b6103a77d8a0609d86d6

  • SHA512

    4f8903ad2667518abdab658a93a99aab3056bf0f57d1eca4364c7a4706e3cfd6c02af7890ddde0d9adfb0015fc5c506d82ae5b8241257770652d1e70ca2b56da

  • SSDEEP

    24576:R7oHpP4V1lY9bh4H5Cj7Hj/LsFxNsLrIi8m5Sau4HlofIRfg0k:R7861iU5C/jIEB8wSelRfzk

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73724d3a89e86bd39f6085b09651156d_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1432
      2⤵
      • Program crash
      PID:4512
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1712 -ip 1712
    1⤵
      PID:3104

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1712-0-0x00000000007F0000-0x0000000000B38000-memory.dmp

            Filesize

            3.3MB

          • memory/1712-1-0x0000000077434000-0x0000000077436000-memory.dmp

            Filesize

            8KB

          • memory/1712-2-0x00000000007F1000-0x00000000007FC000-memory.dmp

            Filesize

            44KB

          • memory/1712-3-0x00000000007F0000-0x0000000000B38000-memory.dmp

            Filesize

            3.3MB

          • memory/1712-4-0x00000000007F0000-0x0000000000B38000-memory.dmp

            Filesize

            3.3MB

          • memory/1712-5-0x00000000007F0000-0x0000000000B38000-memory.dmp

            Filesize

            3.3MB

          • memory/1712-6-0x00000000007F0000-0x0000000000B38000-memory.dmp

            Filesize

            3.3MB