57a17610fd55789182c76732559d239a0d4f08804b822a82bec30d03841db2c1

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe
Size

2.1MB
MD5

82286b25e730481190cc5f04f031aef7
SHA1

524b78c4688e8f0cb8de9c24544fcfd9d2bcd125
SHA256

57a17610fd55789182c76732559d239a0d4f08804b822a82bec30d03841db2c1
SHA512

5b8c2461a89d54e106d9d2ad6dc47ef0b7eb62ed6c4dbc954747650ba88a6e5264c04e2858eca4d4f9932f60bebf78c05d65f6d516163e71b47278f487dc54d1
SSDEEP

49152:ldd3sWWErnngnnnKnanzO0q1cDuCOdA79DConDB393mOsT+l3SikUKVD:DWriPdA5DC+DB39W5Xi8VD

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2520	timeout.exe
916	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2772	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2772	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2772	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2772	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2772	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2772	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2772	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	29
PID 2772 wrote to memory of 2520	2772	cmd.exe	31
PID 2772 wrote to memory of 2520	2772	cmd.exe	31
PID 2772 wrote to memory of 2520	2772	cmd.exe	31
PID 2772 wrote to memory of 2520	2772	cmd.exe	31
PID 2772 wrote to memory of 2520	2772	cmd.exe	31
PID 2772 wrote to memory of 2520	2772	cmd.exe	31
PID 2772 wrote to memory of 2520	2772	cmd.exe	31
PID 2972 wrote to memory of 2516	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2516	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2516	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2516	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2516	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2516	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2516	2972	82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe	32
PID 2516 wrote to memory of 916	2516	cmd.exe	34
PID 2516 wrote to memory of 916	2516	cmd.exe	34
PID 2516 wrote to memory of 916	2516	cmd.exe	34
PID 2516 wrote to memory of 916	2516	cmd.exe	34
PID 2516 wrote to memory of 916	2516	cmd.exe	34
PID 2516 wrote to memory of 916	2516	cmd.exe	34
PID 2516 wrote to memory of 916	2516	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\sgfaulxjuqvhd & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\sgfaulxjuqvhd & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\82286b25e730481190cc5f04f031aef7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sgfaulxjuqvhd\46173476.txt

Filesize
45B

MD5
843f29ac887fed49f84b63fffac9f2dc

SHA1
2eb686fb2569f721e428c0be87854397094f91f5

SHA256
18e9a4ad21ab3d0b64b942c05b0ebd99f8935545373a69d9ce5063cba2a6cf8c

SHA512
03a4ec0512d09b9cdfd96608c8112958f4e87f1f915c34a545eea049dcb19b948f8d51673eec7528771076a219480304d5a720e04053d8ba3a8eed5a09e030ef

Download Submit
C:\ProgramData\sgfaulxjuqvhd\8372422.txt

Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\sgfaulxjuqvhd\Files\_INFOR~1.TXT

Filesize
111B

MD5
e20f2fab5bac8770e682fe9635506f73

SHA1
61aaa3e1e778d5c78617db759343bc23d84d8810

SHA256
1464bf3a21ec070fe0ec98fa1258c1a85187db1ba6368bb26d2b5484c98bf477

SHA512
328d0647d9aeb22f164669286d76e5f71901a98a11339e8d46242eba41017ac384a5c4f429f0357ed6ce571be030c3f9acd1729012c077d8ce7ebd0e5018b56b

Download Submit
C:\ProgramData\sgfaulxjuqvhd\GB_202~1.ZIP

Filesize
257B

MD5
24002180d99a17f4f4403708c76f741f

SHA1
5ab22fc2e34249c28984b73fce5f835c81961b76

SHA256
58784a9b7e6d8541dab066997b49920803b220b11d74e12b5f3a6edd4c2575d9

SHA512
c6bef9a472d95a115bc5b905da6a8b11b545ccd5a4512917803e859b35e9314bdfa82567520fe50665065c9a67933ebf3786129465fcf1ab46021c778338e9d2

Download Submit
memory/2972-1-0x0000000001030000-0x0000000001508000-memory.dmp

Filesize
4.8MB

Download
memory/2972-0-0x00000000001B0000-0x0000000000688000-memory.dmp

Filesize
4.8MB

Download
memory/2972-2-0x0000000077400000-0x0000000077402000-memory.dmp

Filesize
8KB

Download
memory/2972-3-0x00000000001B1000-0x00000000001C9000-memory.dmp

Filesize
96KB

Download
memory/2972-27-0x00000000001B0000-0x0000000000688000-memory.dmp

Filesize
4.8MB

Download