Analysis
-
max time kernel
138s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 18:28
Static task
static1
Behavioral task
behavioral1
Sample
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
-
Size
5.3MB
-
MD5
a1be3cbefb845eac49a0cad049876a73
-
SHA1
68f8f9ed528a21ca796fe3fa228b8e0ad1141218
-
SHA256
4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
-
SHA512
c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e
-
SSDEEP
98304:3AUjbsU6qkD4dQd2IpZB19TzKT4PU7MwT4PU7MBoGM/YhG+:QG4d2i1M/IG+
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exepid Process 2104 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Loads dropped DLL 11 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exepid Process 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe File opened (read-only) \??\VBoxMiniRdrDN a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process File created C:\Windows\fonts\pns.ttf a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exepid Process 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exepid Process 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription pid Process Token: SeTakeOwnershipPrivilege 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeRestorePrivilege 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeDebugPrivilege 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeRestorePrivilege 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeDebugPrivilege 1740 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription pid Process procid_target PID 2956 wrote to memory of 2104 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 29 PID 2956 wrote to memory of 2104 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 29 PID 2956 wrote to memory of 2104 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 29 PID 2956 wrote to memory of 2104 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 29 PID 2956 wrote to memory of 1740 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 30 PID 2956 wrote to memory of 1740 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 30 PID 2956 wrote to memory of 1740 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 30 PID 2956 wrote to memory of 1740 2956 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Loads dropped DLL
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test2⤵
- Executes dropped EXE
PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55ad4011ed312ded0730c6e6c3b6e8ec0
SHA1585b6955d977987f79cb26108681b79139b3804f
SHA256a6c5fc3ef8e7518266a9e37da7bc77100c9bc29bb156646da8823ec46601ed63
SHA5122765594f8250dbaf48d93432b7f72646f68b12af354f165a48a6b74386bee2bbacaf9e7850e35347db144d83b7bc9d71620cb7ead8a9c389f6f4e6ad83f8d772
-
Filesize
445B
MD5bfda7ae0084bf200cca8abb94c0e46a2
SHA1d8bcefd54c862290862f6d06edaef226c8fd7911
SHA256392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136
SHA512f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af
-
Filesize
5.9MB
MD5d7ebb78bf1f0e4a8278b2d63013b1134
SHA1498b315dcba9bf4403d6748be61453d5d8991b61
SHA256c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312
-
Filesize
49KB
MD5abee4387ab69da821ed9397cc651597d
SHA15d14f4afdbe15448bf884b528ffffab874f920a7
SHA256ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904
-
Filesize
1KB
MD5878065c613c8c619e684dcf2fdef55bb
SHA133f3c592603b472e817f7ffdbbe201ce4e10a4b5
SHA25602d9447bea51c58af833a9d3f1fb4439765dbc5d941ec2ff2145059c24baf998
SHA51270828d9f36a5e481566da00cf4c688b2586798637141edc08348e007061791700ca3e6c81de085bb2f82f2ae96373a05662cef49e61bf8a368e18c508d53e1de
-
Filesize
5.3MB
MD5a1be3cbefb845eac49a0cad049876a73
SHA168f8f9ed528a21ca796fe3fa228b8e0ad1141218
SHA2564a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
SHA512c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e