Analysis

  • max time kernel
    138s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 18:28

General

  • Target

    a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

  • Size

    5.3MB

  • MD5

    a1be3cbefb845eac49a0cad049876a73

  • SHA1

    68f8f9ed528a21ca796fe3fa228b8e0ad1141218

  • SHA256

    4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd

  • SHA512

    c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e

  • SSDEEP

    98304:3AUjbsU6qkD4dQd2IpZB19TzKT4PU7MwT4PU7MBoGM/YhG+:QG4d2i1M/IG+

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks system information in the registry
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test
      2⤵
      • Executes dropped EXE
      PID:2104
    • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

    Filesize

    1KB

    MD5

    5ad4011ed312ded0730c6e6c3b6e8ec0

    SHA1

    585b6955d977987f79cb26108681b79139b3804f

    SHA256

    a6c5fc3ef8e7518266a9e37da7bc77100c9bc29bb156646da8823ec46601ed63

    SHA512

    2765594f8250dbaf48d93432b7f72646f68b12af354f165a48a6b74386bee2bbacaf9e7850e35347db144d83b7bc9d71620cb7ead8a9c389f6f4e6ad83f8d772

  • C:\ProgramData\Чистилка\settings.json

    Filesize

    445B

    MD5

    bfda7ae0084bf200cca8abb94c0e46a2

    SHA1

    d8bcefd54c862290862f6d06edaef226c8fd7911

    SHA256

    392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136

    SHA512

    f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af

  • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

    Filesize

    5.9MB

    MD5

    d7ebb78bf1f0e4a8278b2d63013b1134

    SHA1

    498b315dcba9bf4403d6748be61453d5d8991b61

    SHA256

    c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8

    SHA512

    ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

  • C:\Users\Admin\AppData\Local\Temp\clnEC3.tmp

    Filesize

    49KB

    MD5

    abee4387ab69da821ed9397cc651597d

    SHA1

    5d14f4afdbe15448bf884b528ffffab874f920a7

    SHA256

    ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22

    SHA512

    e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

  • C:\Users\Public\Desktop\Чистилка.lnk

    Filesize

    1KB

    MD5

    878065c613c8c619e684dcf2fdef55bb

    SHA1

    33f3c592603b472e817f7ffdbbe201ce4e10a4b5

    SHA256

    02d9447bea51c58af833a9d3f1fb4439765dbc5d941ec2ff2145059c24baf998

    SHA512

    70828d9f36a5e481566da00cf4c688b2586798637141edc08348e007061791700ca3e6c81de085bb2f82f2ae96373a05662cef49e61bf8a368e18c508d53e1de

  • \ProgramData\Чистилка\Чистилка.exe

    Filesize

    5.3MB

    MD5

    a1be3cbefb845eac49a0cad049876a73

    SHA1

    68f8f9ed528a21ca796fe3fa228b8e0ad1141218

    SHA256

    4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd

    SHA512

    c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e

  • memory/2956-49-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2956-66-0x0000000000A40000-0x0000000000F9B000-memory.dmp

    Filesize

    5.4MB