Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:37

General

  • Target

    7378c9c5812bf0bac8cba6c9aecd19c0_JaffaCakes118.exe

  • Size

    675KB

  • MD5

    7378c9c5812bf0bac8cba6c9aecd19c0

  • SHA1

    56516d56c328e8377ca6bf8b68fdec90a57a8a71

  • SHA256

    238a3f89161400f08e1136a73c49746b44f2f681f05a9988af0c4fa6203f863e

  • SHA512

    fa62a9dd2c6c865c658b401f3adc15f1b03a10e4f3fd1dbac7a993b3cda52334ee23b9732b721e883e753923580f4c66669c084269b53aa45ebb8d20465cca84

  • SSDEEP

    12288:ijTPlGaJY8jGOIf0B4wGPWlnTXSIYWkGiIM6P4IuViSZp+o+GI3TTulejKV3fF:QTPlGoyf0B4Z+dTixJIMV/+9TTu4uV3N

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7378c9c5812bf0bac8cba6c9aecd19c0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7378c9c5812bf0bac8cba6c9aecd19c0_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Users\Admin\AppData\Local\Temp\n6909\s6909.exe
      "C:\Users\Admin\AppData\Local\Temp\n6909\s6909.exe" 1d928c273023a870cec9b293cCUiYHwOhvHOGGGlLJv7q9aGg/fUtL0T2Ilkw/CPfbmfI+8CQNBmMm6BtnI5xGRJkAci1JOTkkJ54N1naLyCMGtLfN2Mm1OqceA5xuWT/rRYoRSc6gSPer1hE17U619Gh5U8R9nsj/1dEJ5sUpH9RutgZb780u62VKLrFDEoJw== /v "C:\Users\Admin\AppData\Local\Temp\7378c9c5812bf0bac8cba6c9aecd19c0_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\n6909\s6909.exe

          Filesize

          350KB

          MD5

          da834fff62c4d3e86baa52714cf2d635

          SHA1

          4b35992bbd61e75791ec55bf3b47921be26b3031

          SHA256

          6079e9ad58853c80733363903df046a8008bc8b972b1c52c7eff99b5ed6ad681

          SHA512

          1227d5300237915a4382576fb19bc9ceb304a7ab8455d850154e6b7b8a92356a107a39180f866ad617da9a90745224ae6a8d1f602992c59353d2ad2c267c6526

        • memory/3452-12-0x00007FF8B2355000-0x00007FF8B2356000-memory.dmp

          Filesize

          4KB

        • memory/3452-13-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-22-0x0000000001120000-0x0000000001130000-memory.dmp

          Filesize

          64KB

        • memory/3452-25-0x000000001C4F0000-0x000000001C9BE000-memory.dmp

          Filesize

          4.8MB

        • memory/3452-26-0x000000001BEE0000-0x000000001BF7C000-memory.dmp

          Filesize

          624KB

        • memory/3452-27-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-28-0x000000001CBC0000-0x000000001CC22000-memory.dmp

          Filesize

          392KB

        • memory/3452-29-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-30-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-31-0x0000000001140000-0x0000000001148000-memory.dmp

          Filesize

          32KB

        • memory/3452-32-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-33-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-34-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-35-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-36-0x0000000020420000-0x000000002055C000-memory.dmp

          Filesize

          1.2MB

        • memory/3452-37-0x0000000020A70000-0x0000000020F7E000-memory.dmp

          Filesize

          5.1MB

        • memory/3452-38-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-39-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB

        • memory/3452-41-0x00007FF8B20A0000-0x00007FF8B2A41000-memory.dmp

          Filesize

          9.6MB