978cd9073207975e6dd535e34b59014de4eb4db0d54fd67d2d8a355e5df7458b

General

Target

9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Size

3.3MB
MD5

9e89ec8a6d7a50e4f9a68a7ed90f0eea
SHA1

286fafe21eb3232d42ac63f4220dbc1c281944c2
SHA256

978cd9073207975e6dd535e34b59014de4eb4db0d54fd67d2d8a355e5df7458b
SHA512

67f782c6b7c946d5dfcfb06dc1bd262d4f491aa092b2d0fabeda2dadebbbf96b22e7152ad93242943d27ec79ca5cd62ddb21a18f926a6d7b419704641c5c5b3b
SSDEEP

98304:xQMV6QGLZdQfePhCko9qE4S473zOEcEe0e:xZ4QGF4Bz473y

Score

10^/10

evasion themida trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2456-40-0x00000000025E0000-0x0000000002E9E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1568	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2456	1568	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe	28
PID 1568 wrote to memory of 2456	1568	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe	28
PID 1568 wrote to memory of 2456	1568	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe	28
PID 1568 wrote to memory of 2456	1568	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe	28

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe"
1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1316
  2⤵
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-1-0x0000000075CD4000-0x0000000075CD5000-memory.dmp

Filesize
4KB

Download
memory/1568-0-0x0000000000940000-0x00000000011FE000-memory.dmp

Filesize
8.7MB

Download
memory/1568-3-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-6-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-5-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-4-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-10-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-20-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-19-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-18-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-24-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-25-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-23-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-22-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-21-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-17-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-16-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-15-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-14-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-13-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-12-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-11-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-9-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-8-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-7-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-2-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-29-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-30-0x0000000000940000-0x00000000011FE000-memory.dmp

Filesize
8.7MB

Download
memory/1568-31-0x0000000075CC0000-0x0000000075DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-33-0x0000000075CD4000-0x0000000075CD5000-memory.dmp

Filesize
4KB

Download
memory/2456-40-0x00000000025E0000-0x0000000002E9E000-memory.dmp

Filesize
8.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads