402170b5a018256276d057765ac021a13ab87e0b57263b3b07248c59b65e8391

Analysis

max time kernel
92s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe
Size

4.0MB
MD5

79fa078afb0fd4468e305994192335e7
SHA1

2790f42f7ca60681a96acdec5d18b39a101469f7
SHA256

402170b5a018256276d057765ac021a13ab87e0b57263b3b07248c59b65e8391
SHA512

6b11809cdbbf873f5090652fb2d85c4d350f942d9f151cd6c1bf823f402b02bc0e9036e20436c74764da97cbce5bf9eee9d5d12397736c748c8105dce9604d65
SSDEEP

98304:KV8rEYkt2MQBsbl3bSt6fLQj8rGFExU+TNK4g9lnt2F/tnS9PXDozuTgszDKqF+P:KirEfvQWDbS+jg93PzpO6BZjeK+E4Z6w

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

Processes:

79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

pid process

3436 79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

pid process

3436 79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

pid process

3436 79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe
3436 79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

pid	process
3436	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

pid	process
3436	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

pid	process
3436	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe
3436	79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79fa078afb0fd4468e305994192335e7_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c681e5a6-656a-4792-9a78-f32da73fd7bf\AgileDotNetRT.dll
Filesize
1.1MB

MD5
872c979a2bdf0efc9bc59777ed160ca8

SHA1
c33ef0d097d40cfadaa3a02e1fed714b1d3b13f0

SHA256
817dad0b81bdda52e7ed2d398ee5b4358b345d48a9698d38044b64de59b51a2a

SHA512
33bcb0ed5358cf717e0ad719cc54d57b31c62e96eefaf82d15f0fbbffa62a3753aff214fcdd38d149213a24aebb086cf48dd37038c1ad86dd1d3bfceafd5b877

Download Submit
memory/3436-0-0x0000000074C52000-0x0000000074C53000-memory.dmp

Filesize
4KB

Download
memory/3436-1-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3436-2-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3436-10-0x0000000072E80000-0x0000000073184000-memory.dmp

Filesize
3.0MB

Download
memory/3436-12-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3436-13-0x0000000073970000-0x00000000739CB000-memory.dmp

Filesize
364KB

Download
memory/3436-14-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3436-16-0x0000000072E80000-0x0000000073184000-memory.dmp

Filesize
3.0MB

Download
memory/3436-17-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download