Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 18:28

General

  • Target

    a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

  • Size

    5.3MB

  • MD5

    a1be3cbefb845eac49a0cad049876a73

  • SHA1

    68f8f9ed528a21ca796fe3fa228b8e0ad1141218

  • SHA256

    4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd

  • SHA512

    c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e

  • SSDEEP

    98304:3AUjbsU6qkD4dQd2IpZB19TzKT4PU7MwT4PU7MBoGM/YhG+:QG4d2i1M/IG+

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks system information in the registry
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test
      2⤵
      • Executes dropped EXE
      PID:2792
    • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks system information in the registry
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:4148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

    Filesize

    1KB

    MD5

    02a123f9c35fd77b52145ec8686b5b19

    SHA1

    f09e4058be4e1b07b6317e8219a38ba9a8ed2acc

    SHA256

    585ab48e10fc363d6e10310796c60438232dafb645834774d7c49e707001b3d8

    SHA512

    008b74e359392263067bd0475b264d7490c7c5946890e1ad83753e57c2cd82a7a380a3bc642eed1e42f2efb9bc5cb8dfe6e77bdac99bc643f58a298b9db99fb3

  • C:\ProgramData\Чистилка\settings.json

    Filesize

    445B

    MD5

    bfda7ae0084bf200cca8abb94c0e46a2

    SHA1

    d8bcefd54c862290862f6d06edaef226c8fd7911

    SHA256

    392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136

    SHA512

    f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af

  • C:\ProgramData\Чистилка\Чистилка.exe

    Filesize

    5.3MB

    MD5

    a1be3cbefb845eac49a0cad049876a73

    SHA1

    68f8f9ed528a21ca796fe3fa228b8e0ad1141218

    SHA256

    4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd

    SHA512

    c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e

  • C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

    Filesize

    5.9MB

    MD5

    d7ebb78bf1f0e4a8278b2d63013b1134

    SHA1

    498b315dcba9bf4403d6748be61453d5d8991b61

    SHA256

    c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8

    SHA512

    ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

  • C:\Users\Admin\AppData\Local\Temp\cln36EF.tmp

    Filesize

    49KB

    MD5

    abee4387ab69da821ed9397cc651597d

    SHA1

    5d14f4afdbe15448bf884b528ffffab874f920a7

    SHA256

    ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22

    SHA512

    e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

  • C:\Users\Public\Desktop\Чистилка.lnk

    Filesize

    1KB

    MD5

    77106b36ec3d6c7ee4f5b69c1110169b

    SHA1

    bb6495448f765e40fd157a47d8774bf579677e22

    SHA256

    817f836d1023d2d7b926858bc3d3b1b5013143c106c8e511c317825d0f914a5e

    SHA512

    57ac6d511a8c3c2cb722fae7cb2f7476ef23870c0ff065b86eb4137d1dba6fba6fe159a7e09b84578b80faaf9a4a9bd83776b947578a7f48335a2ee154b71d2a

  • C:\WINDOWS\FONTS\PNS.TTF

    Filesize

    127KB

    MD5

    df8c626474a73ab7a8b511655597c7c4

    SHA1

    5de28f387ea88553d195d1978286d43c33231969

    SHA256

    723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5

    SHA512

    c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59

  • memory/2416-43-0x00000000009E0000-0x0000000000F3B000-memory.dmp

    Filesize

    5.4MB