Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 16:55

General

  • Target

    a69c08c8410c82899f7e285b11a91325_JaffaCakes118.exe

  • Size

    678KB

  • MD5

    a69c08c8410c82899f7e285b11a91325

  • SHA1

    8df6f573a6be6df3fbdd18ded4fd88a760aa1aa5

  • SHA256

    06dde00d3a78dbf20b530b758506fea89687217ffc305a81ada225b2f916cd5f

  • SHA512

    660008b1128d705d71f8352f14268438980bde2940484fb306da7e65e3a83c45fa7de56c7f5600540773d82ecd2f25877d6540952731d72257411113e60e1da3

  • SSDEEP

    12288:60/Xl+YXrSTnkgLidjE7ZpJs0WquD13CrBBoa2PP1ZQU6s4:3/Xl+u6208yrDB2PtKU6s4

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a69c08c8410c82899f7e285b11a91325_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a69c08c8410c82899f7e285b11a91325_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Local\Temp\n2409\s2409.exe
      "C:\Users\Admin\AppData\Local\Temp\n2409\s2409.exe" 68cf267e5b977092c3414111OYKAS4DTMTtlkMrOZTBau2ehjSJFK+2NYRjD79O/vyNMymc12eXSZArvtQCQ4oJ1rMQLAfmkP5W6MOXg9fLT1uVkSuwtsNLnIVTNWJO8VJ5OPxeASC0nFjbX/4WWJmolN8m+rb+ypJ8se+3Mj6C9s6KQZ6MDsWyXLKMDHUSsu3w= /v "C:\Users\Admin\AppData\Local\Temp\a69c08c8410c82899f7e285b11a91325_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:548

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\n2409\s2409.exe
    Filesize

    350KB

    MD5

    3704d702fab17912fe846d0cbcc6e1ee

    SHA1

    80a8eb023387c1503296d2a69e6490745fee6c9a

    SHA256

    6d947c5db567f39d74552b385a91bf3e5b1766062240e0c50e296a1d561c5197

    SHA512

    bcaf82f3b28bbe23fcde975c9ad6bc5c3849f962410bf74e873544cb3600f6537db3772538a92a965023c1e8b43e57e4b7988090cbffc1932587d7de816162f4

  • memory/548-12-0x00007FFF10DE5000-0x00007FFF10DE6000-memory.dmp
    Filesize

    4KB

  • memory/548-13-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-14-0x000000001B580000-0x000000001B590000-memory.dmp
    Filesize

    64KB

  • memory/548-17-0x000000001BFB0000-0x000000001C47E000-memory.dmp
    Filesize

    4.8MB

  • memory/548-18-0x000000001C520000-0x000000001C5BC000-memory.dmp
    Filesize

    624KB

  • memory/548-19-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-20-0x000000001C710000-0x000000001C772000-memory.dmp
    Filesize

    392KB

  • memory/548-21-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-22-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-23-0x000000001BA80000-0x000000001BA88000-memory.dmp
    Filesize

    32KB

  • memory/548-24-0x00007FFF10DE5000-0x00007FFF10DE6000-memory.dmp
    Filesize

    4KB

  • memory/548-25-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-26-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-27-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-28-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-29-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-30-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-31-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-32-0x0000000020480000-0x000000002098E000-memory.dmp
    Filesize

    5.1MB

  • memory/548-33-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB

  • memory/548-35-0x00007FFF10B30000-0x00007FFF114D1000-memory.dmp
    Filesize

    9.6MB