11947ea7c46e2a1084d7a7b1bad0acb181c631047398648f8d12e12589fb726b

General

Target

a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe
Size

3.7MB
MD5

a21ec611f26a64591e145f37beeb0be4
SHA1

363aebfb872485864f16ad3680035f583e16bc31
SHA256

11947ea7c46e2a1084d7a7b1bad0acb181c631047398648f8d12e12589fb726b
SHA512

f584abf6941fdb8caf52efa2e43f9024db6c5ae30a10259470e6843a95fc65e18cbb7b3235ea6f2ce9c2a6e9a4f73fd558b79ef566c73b39d1c7eed400b60f20
SSDEEP

98304:mXFl9S5MBAq6w8qge/6KbZiYHRmFIDJAu:mf0g6PqD6gsxu

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00290000000143b9-13.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2980	a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00290000000143b9-13.dat	upx
behavioral1/memory/2980-17-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-19-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-21-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-22-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-23-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-24-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-25-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-26-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-27-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-28-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-29-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-30-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-31-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-32-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral1/memory/2980-33-0x0000000010000000-0x0000000010269000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop	a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a21ec611f26a64591e145f37beeb0be4_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\TsZjFAwXnS.tmp\htmlayout.dll

Filesize
943KB

MD5
dd305582564b7973909265167faacce4

SHA1
02a8db6c70f328bbad69177d843553405f88fa0f

SHA256
58968138a0c8e6f7ab324a50906e29ef2980ccd5b844758fbf64176ea563a42c

SHA512
6cac3596c9d254c0d1f86be64affe801a7e887db8936c214431d0504ed19054ea94f747159e1c99e7bb60ad9ce88d1b48e5643fd92788585496eef785d6612cd

Download Submit
memory/2980-21-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-17-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-4-0x0000000077E10000-0x0000000077E11000-memory.dmp

Filesize
4KB

Download
memory/2980-8-0x0000000075E30000-0x0000000075E31000-memory.dmp

Filesize
4KB

Download
memory/2980-10-0x0000000000400000-0x0000000000B9B000-memory.dmp

Filesize
7.6MB

Download
memory/2980-1-0x0000000077E10000-0x0000000077E11000-memory.dmp

Filesize
4KB

Download
memory/2980-0-0x0000000000400000-0x0000000000B9B000-memory.dmp

Filesize
7.6MB

Download
memory/2980-16-0x0000000000BA0000-0x0000000000C1B000-memory.dmp

Filesize
492KB

Download
memory/2980-18-0x0000000000400000-0x0000000000B9B000-memory.dmp

Filesize
7.6MB

Download
memory/2980-19-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-3-0x0000000000401000-0x00000000004F4000-memory.dmp

Filesize
972KB

Download
memory/2980-20-0x0000000000400000-0x0000000000B9B000-memory.dmp

Filesize
7.6MB

Download
memory/2980-26-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-23-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-24-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-25-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-22-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-27-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-28-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-29-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-30-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-31-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-32-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/2980-33-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads