210cf3ba9e52edfaf1248c8fd44d5959ab017ecb22c05d3d6b1dbf61d993b7e2

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 12:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
Size

896KB
MD5

0dff8d06630745d30d091d7363a2c500
SHA1

e10092296f697a2d9e7ac5cae87e9bee43508da8
SHA256

210cf3ba9e52edfaf1248c8fd44d5959ab017ecb22c05d3d6b1dbf61d993b7e2
SHA512

f3befef9a07ee5405f14d4adc30a5e8b704123e7f5d0a686292a361a922974a394f95b677c1dd063372883c93ca94724ffbc8b20f6443ce9fbbe1ab164d9b4fd
SSDEEP

12288:YESoNJs4ys8+k+aiptW5v9edN1gFAbdYLRlOmGH9fjAX/k+:YCs4yD5+qI+LR4JH9fj6

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\firewxsp2.log	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\ = "Media Clip"	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\NotInsertable	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\TreatAs	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C855C0FB-69D6-4DD3-104F-A2AE88A136BF}\TreatAs\ = "{F20DA720-C02F-11CE-927B-0800095AE340}"	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:BEEA8369	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
File opened for modification	C:\ProgramData\TEMP:BEEA8369	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	432	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	432	0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dff8d06630745d30d091d7363a2c500_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-0-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/432-2-0x0000000002150000-0x00000000021E4000-memory.dmp

Filesize
592KB

Download
memory/432-7-0x0000000002150000-0x00000000021E4000-memory.dmp

Filesize
592KB

Download
memory/432-10-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/432-11-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/432-14-0x0000000002150000-0x00000000021E4000-memory.dmp

Filesize
592KB

Download
memory/432-13-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/432-12-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/432-16-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/432-17-0x0000000002150000-0x00000000021E4000-memory.dmp

Filesize
592KB

Download
memory/432-19-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/432-21-0x0000000002150000-0x00000000021E4000-memory.dmp

Filesize
592KB

Download