Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 10:09

General

  • Target

    7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    7523097d99af3f83ede720c3c53ed3ae

  • SHA1

    b8b1eb24329d2dacd6a8e4cb38cf9487e2b4052b

  • SHA256

    58f516bca2180b9c4997a83fc135fb69acc4915f262633d4791bda7f601d351b

  • SHA512

    6ebb7abe068cdb326f85d1d19af079ec9acfd488d8323a10d9b946da2acd8b43e7a35fe5b8a747f1726b22bb41951c23804b929e6cba6618c0dfcea53688d3c2

  • SSDEEP

    49152:dTimGRSG0RM9+HSrSgzv3vXrzUnRQh7R0MWRTlw9HRGU:Ri42EyrSEv3v/xN0MWgxn

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\7523097d99af3f83ede720c3c53ed3ae_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:1348

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Cab8B03.tmp

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\Local\Temp\Tar9755.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\Temp\tmpA6E0.tmp

          Filesize

          140KB

          MD5

          dfedb72694a88fbddf2c758fdb57d971

          SHA1

          2487723361513e7883330c4f2bcaaf8b2bc13713

          SHA256

          722c47194263b07adaec951eb4a0d82addb080d22831406d23ba12682cabccad

          SHA512

          dbeca37b3e5017d81fd717fe76bb2a84d0d03d6544911bf30646b85b16a058ffd690fa866e169a9228b21fc0dcbe3f4419383cb7080279e3963133d17cd9f49e

        • C:\Users\Admin\AppData\Local\Temp\tmpA6E1.tmp

          Filesize

          46KB

          MD5

          02d2c46697e3714e49f46b680b9a6b83

          SHA1

          84f98b56d49f01e9b6b76a4e21accf64fd319140

          SHA256

          522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

          SHA512

          60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

        • C:\Users\Admin\AppData\Local\Temp\tmpA6F7.tmp

          Filesize

          92KB

          MD5

          5f914a013176785e26d70d07234c605c

          SHA1

          5336e9ed6aeb682b46a0472f4f80ec24c4504210

          SHA256

          72b56bbce7e5e07702bf46a002c75cb3a8994fd390b190b989628d387d21975b

          SHA512

          103eff502bec0df1a36bd19a97ca1d10cc34da2183480fe146434ec916020011c8af003b66ab5f6f4886e95b21749be8d8c3c3ebf3ae1b2e5c6db216e8b4e1b2

        • memory/2928-0-0x00000000010C0000-0x0000000001604000-memory.dmp

          Filesize

          5.3MB

        • memory/2928-2-0x00000000010C0000-0x0000000001604000-memory.dmp

          Filesize

          5.3MB

        • memory/2928-3-0x00000000010C0000-0x0000000001604000-memory.dmp

          Filesize

          5.3MB

        • memory/2928-205-0x00000000010C0000-0x0000000001604000-memory.dmp

          Filesize

          5.3MB