Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 18:28
Static task
static1
Behavioral task
behavioral1
Sample
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
-
Size
5.3MB
-
MD5
a1be3cbefb845eac49a0cad049876a73
-
SHA1
68f8f9ed528a21ca796fe3fa228b8e0ad1141218
-
SHA256
4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
-
SHA512
c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e
-
SSDEEP
98304:3AUjbsU6qkD4dQd2IpZB19TzKT4PU7MwT4PU7MBoGM/YhG+:QG4d2i1M/IG+
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exepid Process 2792 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe File opened (read-only) \??\VBoxMiniRdrDN a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process File created C:\Windows\fonts\pns.ttf a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exepid Process 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exepid Process 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exea1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription pid Process Token: SeTakeOwnershipPrivilege 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeRestorePrivilege 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeDebugPrivilege 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeRestorePrivilege 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe Token: SeDebugPrivilege 4148 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exedescription pid Process procid_target PID 2416 wrote to memory of 2792 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 85 PID 2416 wrote to memory of 2792 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 85 PID 2416 wrote to memory of 2792 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 85 PID 2416 wrote to memory of 4148 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 86 PID 2416 wrote to memory of 4148 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 86 PID 2416 wrote to memory of 4148 2416 a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD502a123f9c35fd77b52145ec8686b5b19
SHA1f09e4058be4e1b07b6317e8219a38ba9a8ed2acc
SHA256585ab48e10fc363d6e10310796c60438232dafb645834774d7c49e707001b3d8
SHA512008b74e359392263067bd0475b264d7490c7c5946890e1ad83753e57c2cd82a7a380a3bc642eed1e42f2efb9bc5cb8dfe6e77bdac99bc643f58a298b9db99fb3
-
Filesize
445B
MD5bfda7ae0084bf200cca8abb94c0e46a2
SHA1d8bcefd54c862290862f6d06edaef226c8fd7911
SHA256392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136
SHA512f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af
-
Filesize
5.3MB
MD5a1be3cbefb845eac49a0cad049876a73
SHA168f8f9ed528a21ca796fe3fa228b8e0ad1141218
SHA2564a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
SHA512c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e
-
Filesize
5.9MB
MD5d7ebb78bf1f0e4a8278b2d63013b1134
SHA1498b315dcba9bf4403d6748be61453d5d8991b61
SHA256c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312
-
Filesize
49KB
MD5abee4387ab69da821ed9397cc651597d
SHA15d14f4afdbe15448bf884b528ffffab874f920a7
SHA256ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904
-
Filesize
1KB
MD577106b36ec3d6c7ee4f5b69c1110169b
SHA1bb6495448f765e40fd157a47d8774bf579677e22
SHA256817f836d1023d2d7b926858bc3d3b1b5013143c106c8e511c317825d0f914a5e
SHA51257ac6d511a8c3c2cb722fae7cb2f7476ef23870c0ff065b86eb4137d1dba6fba6fe159a7e09b84578b80faaf9a4a9bd83776b947578a7f48335a2ee154b71d2a
-
Filesize
127KB
MD5df8c626474a73ab7a8b511655597c7c4
SHA15de28f387ea88553d195d1978286d43c33231969
SHA256723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5
SHA512c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59