2f14749bbc71b10119d94ff07afd6babe8eb27abaad7b9266c08f98efcbf9de4

Analysis

max time kernel
12s
max time network
4s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Size

1.1MB
MD5

1a7257d99c2c0abb969bb9415659ad0c
SHA1

de3e1bad4ffc6078baa689f928aa77d8f813b1a6
SHA256

2f14749bbc71b10119d94ff07afd6babe8eb27abaad7b9266c08f98efcbf9de4
SHA512

d6b9d73298430e6dfc5ec6db29e6c165484abd194392dddbe0e8007434723619a07791bb17399792d162cf40d0fa99156ad80c8850a2d086235dbfb44488a51f
SSDEEP

24576:FNLR/4KyTpixLNPHqtURjZnli5kaKuOB9hiDeORvC5XKMz:rLR/4Ky6L1qtURjZlakPiDeO14X9

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\TypeLib\ = "{9B085638-018E-11D3-9D8E-00C04F72D980}"	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\ = "BDA Tuning Model MPEG2 Tune Request"	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\Implemented Categories	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\InprocServer32	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll"	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\TypeLib	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\Version\ = "1.0"	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\InprocServer32\ThreadingModel = "Both"	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\ProgID	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\ProgID\ = "BDATuner.MPEG2TuneRequest.1"	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\Programmable	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\Version	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\VersionIndependentProgID	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3B8E17-3185-615E-C9E0-E1CF2693BD9D}\VersionIndependentProgID\ = "BDATuner.MPEG2TuneRequest"	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Token: 33	2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2204	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2204	2176	1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1a7257d99c2c0abb969bb9415659ad0c_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
    3⤵
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
480KB

MD5
8944c2efadab46a6c7ec0d7494cda302

SHA1
eac931d614417e82f1800ea8422548e28bc07630

SHA256
ffb7af974dfd9f61bf7e7c4be032fff95abf9c821632d0d417c91eac3645f2eb

SHA512
e6222f1110418216ccdb37ec89e23e1ca6fed70ec1a4ba11f92b23c01efd2bd27f0c99796dfb2dd3b697ce0dc98bb72f96502bc6eb82e0552334a5a8b0c3738a

Download Submit
memory/2176-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2176-1-0x00000000004F0000-0x00000000005D5000-memory.dmp

Filesize
916KB

Download
memory/2176-16-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2204-10-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2204-9-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2204-4-0x0000000001F40000-0x0000000001FD4000-memory.dmp

Filesize
592KB

Download
memory/2204-13-0x0000000001F40000-0x0000000001FD4000-memory.dmp

Filesize
592KB

Download
memory/2204-12-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2204-11-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2204-3-0x0000000000464000-0x0000000000465000-memory.dmp

Filesize
4KB

Download
memory/2204-17-0x0000000001F40000-0x0000000001FD4000-memory.dmp

Filesize
592KB

Download
memory/2204-2-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download