Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 15:36

General

  • Target

    a649da1e2fb17d5d7740d6175e5f618a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a649da1e2fb17d5d7740d6175e5f618a

  • SHA1

    b6e3b370f30e579ab745bb338c083816876c4b00

  • SHA256

    1169d3880ddbb14dc5ba51cc58bc1ce704cfffaf6ebcb61d06fa90a4ecbdcf9d

  • SHA512

    5bbd85b9c0ad0fe8d58ce820c35627794ec6d2117829f349a974f49fb0331da5019447d7bcbeb6972cae73d7a30785aad652ecbde5daef5f750ab75fa5edb422

  • SSDEEP

    12288:0+h9St2Ma70zIIc91Dwws4zruXic2O/3E47:0+h9OY70z+warul3E47

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a649da1e2fb17d5d7740d6175e5f618a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a649da1e2fb17d5d7740d6175e5f618a_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\AppData\Local\Temp\n9652\s9652.exe
      "C:\Users\Admin\AppData\Local\Temp\n9652\s9652.exe" 0db47b863ce824d5cb965393QFevqGZ6ruaaLSgDXCyLuUDEqp3E/oB6+N9wzTWVbfWFD9QgWIQVYCP+XYlVf/XUdxOCxBv52IVlsIaad6lSdXvxIAMe39ZV0KU5n+n3z0JUf+Q+mBYNwd9K/0x1JaQUCYu/VblLz2eukx9S5Sudu/w= /v "C:\Users\Admin\AppData\Local\Temp\a649da1e2fb17d5d7740d6175e5f618a_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1972
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2304

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    3
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\n9652\s9652.exe
      Filesize

      230KB

      MD5

      abaf13cb23de482dc944ab5b51ca3aac

      SHA1

      76837356db96dd56b647aba60f1adbbdc7b200fe

      SHA256

      b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

      SHA512

      cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

    • memory/1972-12-0x00007FFE8AEF5000-0x00007FFE8AEF6000-memory.dmp
      Filesize

      4KB

    • memory/1972-13-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-14-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-28-0x0000000000D10000-0x0000000000D22000-memory.dmp
      Filesize

      72KB

    • memory/1972-31-0x000000001C170000-0x000000001C63E000-memory.dmp
      Filesize

      4.8MB

    • memory/1972-32-0x000000001C6E0000-0x000000001C77C000-memory.dmp
      Filesize

      624KB

    • memory/1972-33-0x000000001C840000-0x000000001C8A2000-memory.dmp
      Filesize

      392KB

    • memory/1972-34-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-35-0x000000001B3E0000-0x000000001B3E8000-memory.dmp
      Filesize

      32KB

    • memory/1972-36-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-37-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-38-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-39-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-40-0x00000000202B0000-0x00000000207BE000-memory.dmp
      Filesize

      5.1MB

    • memory/1972-41-0x0000000020A00000-0x0000000020B3C000-memory.dmp
      Filesize

      1.2MB

    • memory/1972-42-0x00007FFE8AEF5000-0x00007FFE8AEF6000-memory.dmp
      Filesize

      4KB

    • memory/1972-43-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB

    • memory/1972-45-0x00007FFE8AC40000-0x00007FFE8B5E1000-memory.dmp
      Filesize

      9.6MB