Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 20:54

General

  • Target

    a251ab42e6336d564b858cdeefc2678b_JaffaCakes118.exe

  • Size

    4.4MB

  • MD5

    a251ab42e6336d564b858cdeefc2678b

  • SHA1

    660beae5f5312471029cc1393f1477408cbf6697

  • SHA256

    fd12ad7d9ac7ea5d0719ee1e9c1693e8aa55777ab695e87e1286474bad5b476b

  • SHA512

    ce9f82087e3e0625afc44e586f53c4363208c871314c93978699f256bcd835b492d3ff19cc7fbfe43c9f7b2533cfb123d1769e9090bb9c3068f3e5addaf13094

  • SSDEEP

    98304:tNwEf0x018aUP9GndDTFLx4FejNMaDje4Cq67QfguIPPt9oEW:tNwE8wUEn9T9mejXFM7QYZtlW

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a251ab42e6336d564b858cdeefc2678b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a251ab42e6336d564b858cdeefc2678b_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Local\Temp\a251ab42e6336d564b858cdeefc2678b_JaffaCakes118mgr.exe
      C:\Users\Admin\AppData\Local\Temp\a251ab42e6336d564b858cdeefc2678b_JaffaCakes118mgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2904
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA518271-28FD-11EF-8D12-66A5A0AB388F}.dat
    Filesize

    3KB

    MD5

    323e0f4aa557e1ed7749fb9b74c19306

    SHA1

    1d069b9efad8cd0dd5361686a91864b63be7e5d4

    SHA256

    ce549943395689af5ad7c0aab562f3aeb03c1f4a84ca6319604a8b232c0054f4

    SHA512

    c78d3bd1feacac931e17b496aaa58df6afed386ced52253e39933c985425e983ff731cd529fa2c0d20e71c509cbc42916a6a109fed54d31b6ff77f19d1689fbd

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA51A981-28FD-11EF-8D12-66A5A0AB388F}.dat
    Filesize

    3KB

    MD5

    364735d5ef7837292e4fe03255c53759

    SHA1

    31f2557d8fd5053513b9b4483bcccb129cad06f0

    SHA256

    a06e5ecea1362421876444d82fc9506c8a1c7f19f937ca65ff08f2944c252081

    SHA512

    0c7d7f27c9e0d119fe885ef8c326ad6a2c13c91196a5e39064fc7c4914df6d2a0eab9e726ab96f317bc1187a8483fbda4a5f0106734f55e1ac09c6892bed72f4

  • \Users\Admin\AppData\Local\Temp\a251ab42e6336d564b858cdeefc2678b_JaffaCakes118mgr.exe
    Filesize

    106KB

    MD5

    7dc51d67dba12402674baf7e67bfc89d

    SHA1

    94b2e12ec5f4258bf8727d53276331457a558edb

    SHA256

    ebaf815f84fd4fb931265e7c92119d2ad540620dfe9f8883a4f08b6796318f87

    SHA512

    5d76770e6fab626f6b7de2126ef8af39bb2e49162dc0c14d06a074653a68ecb6bc381d930ce974ebc2f8c4dfcfa7502f8699a426cd837230d497165ddbf6c901

  • memory/836-10-0x0000000000400000-0x0000000000E9A000-memory.dmp
    Filesize

    10.6MB

  • memory/836-14-0x0000000000220000-0x0000000000282000-memory.dmp
    Filesize

    392KB

  • memory/836-11-0x0000000000220000-0x0000000000282000-memory.dmp
    Filesize

    392KB

  • memory/836-15-0x0000000000400000-0x0000000000E9A000-memory.dmp
    Filesize

    10.6MB

  • memory/836-26-0x0000000000400000-0x0000000000E9A000-memory.dmp
    Filesize

    10.6MB

  • memory/2792-13-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

  • memory/2792-12-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

  • memory/2792-9-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

  • memory/2792-8-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

  • memory/2792-22-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB