Analysis

  • max time kernel
    135s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 07:49

General

  • Target

    9786cf1f32b8889fb82767e9ad866f52_JaffaCakes118.exe

  • Size

    628KB

  • MD5

    9786cf1f32b8889fb82767e9ad866f52

  • SHA1

    8e55cd12f41efc9a9fb341aa25811a5decda2d1c

  • SHA256

    23a3f8d5fd270f2bc1b265679881ac81b318a66e2d4bab33a17b93a8aeeb86ea

  • SHA512

    b9cea70b34125051b75377b8b85eb899bdc54df7d32933774ee01f593e6607ee769e28289f94de5b9fed0a5c86872eb89ec36139fd2e05640da6d0f7c2ce59d5

  • SSDEEP

    12288:eL4MO+THTJZVyWW9Xl6nHZDQQXiPYURmjDAOu7Q944dc69:o4MO+Vx+M1OPoO7tGc69

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9786cf1f32b8889fb82767e9ad866f52_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9786cf1f32b8889fb82767e9ad866f52_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Users\Admin\AppData\Local\Temp\n7429\s7429.exe
      "C:\Users\Admin\AppData\Local\Temp\n7429\s7429.exe" 896359ed95e1266e5733ae9ddP0ZfDA/xAabe4kFMy1jkSYzqeGAuS+530XCA9erplWMPAg/KTH8AjWkJxQuX16l+N07QaQCXWfFlFLImrkxvm5ld3qbAECe7+c5kwgK95P7kU6eT8k3qbrBBArwqg3A7VFUc2suAGq7I0vA9FwcbvLp1/HFOuQAwvBsEY9Y /v "C:\Users\Admin\AppData\Local\Temp\9786cf1f32b8889fb82767e9ad866f52_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2920
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
    1⤵
      PID:4360

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\n7429\s7429.exe

            Filesize

            350KB

            MD5

            39b961520af5ab4b1420140e76e0fd2f

            SHA1

            96c6c87fd9b46625e1f364d833a8231d463f0fd5

            SHA256

            0533cd8f934b9763d09a1e164ac02b67d6df34eb7584f783adaf7a777ce48cea

            SHA512

            69d86ce653e8f5ab7c9c45e9e05dd5a12b31d739fef0881e63c917fe0ccbe9177b59e92b33dd3774d53bdd1837abb571bea43fd1297ecf4359b607716454668a

          • memory/2920-12-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-13-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-14-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-28-0x000000001C2C0000-0x000000001C2D0000-memory.dmp

            Filesize

            64KB

          • memory/2920-31-0x000000001CD10000-0x000000001D1DE000-memory.dmp

            Filesize

            4.8MB

          • memory/2920-32-0x000000001D1E0000-0x000000001D27C000-memory.dmp

            Filesize

            624KB

          • memory/2920-33-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-34-0x000000001D350000-0x000000001D3B2000-memory.dmp

            Filesize

            392KB

          • memory/2920-35-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-36-0x000000001C2E0000-0x000000001C2E8000-memory.dmp

            Filesize

            32KB

          • memory/2920-37-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-38-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-39-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-40-0x000000001E8C0000-0x000000001E9FC000-memory.dmp

            Filesize

            1.2MB

          • memory/2920-41-0x0000000020EA0000-0x00000000213AE000-memory.dmp

            Filesize

            5.1MB

          • memory/2920-42-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB

          • memory/2920-44-0x00007FF967A70000-0x00007FF967D39000-memory.dmp

            Filesize

            2.8MB