Malware Analysis Report

2024-08-06 17:42

Sample ID 240703-2pam5s1gqe
Target 23b6b882d68a042d49fd329beaab7d55_JaffaCakes118
SHA256 6f847d1cdf730f0e78a1a2101f3d2a3546bb02417d1290cdc84b6b20408fd3d4
Tags
cybergate test bootkit evasion persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f847d1cdf730f0e78a1a2101f3d2a3546bb02417d1290cdc84b6b20408fd3d4

Threat Level: Known bad

The file 23b6b882d68a042d49fd329beaab7d55_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate test bootkit evasion persistence stealer trojan upx

CyberGate, Rebhip

UPX packed file

Checks BIOS information in registry

Identifies Wine through registry keys

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Virtualization/Sandbox Evasion
T1497
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-03 22:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 22:44

Reported

2024-07-03 22:48

Platform

win7-20240220-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe
PID 2192 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp
N/A 127.0.0.1:2185 tcp

Files

memory/2192-0-0x0000000000400000-0x0000000000659000-memory.dmp

memory/2492-9-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2492-14-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2492-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2192-2-0x0000000024010000-0x000000002404E000-memory.dmp

memory/2192-15-0x0000000000401000-0x0000000000414000-memory.dmp

memory/2492-29-0x0000000000400000-0x0000000000659000-memory.dmp

memory/2192-224-0x0000000000401000-0x0000000000414000-memory.dmp

memory/2192-223-0x0000000000400000-0x0000000000659000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 e77d668e7aa79faef0f9ccb04c83029c
SHA1 527d776672b42ada1df58ccc4843eb4ed2b534db
SHA256 c5ae33c79a24d87c1066b23c669fe238bfe20cc25db4698eb5aca78f88414f9a
SHA512 6b53f0bd780590f901c75ae4e0dba5ba59388c0738f6fc08b50209297bdf509cb0d731d6c0f482dac1a99a77499f77c3a3c22d7f9178bf0353bc069c37c80bbf

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 22:44

Reported

2024-07-03 22:48

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23b6b882d68a042d49fd329beaab7d55_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1320 -ip 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 276

Network

Files

memory/1320-0-0x0000000000400000-0x0000000000659000-memory.dmp

memory/1320-1-0x0000000000400000-0x0000000000659000-memory.dmp