42029d6d93e3501a7f21fa66a03c8bbbc7312961ed1d07882726e5d8978ea3e6

General

Target

22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Size

1.5MB
MD5

22fff196938a30bb39ecc739eedc30d4
SHA1

a00dc6d0822a231336b522527dda7236f566f7cf
SHA256

42029d6d93e3501a7f21fa66a03c8bbbc7312961ed1d07882726e5d8978ea3e6
SHA512

0ee52b6dc6107508dd650d5c2419ddbeb78b145d95948c9ee672dcd55bcb8e3f791c0203b2e751e544e9e19d0c9abdc7ced8980451dd6ac24077581fe5a48d65
SSDEEP

24576:315Y+wfqKrvJJ2JNoVZcQPB6agExaw+ayWeAC9IqLs/:Wq0Kv1Qp6q0J9rAf+2

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4544	Crack.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\System.IsPinnedToNameSpaceTree = "1"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\Instance\InitPropertyBag\TargetKnownFolder = "{7d83ee9b-2244-4e70-b1f5-5393042af1e4}"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\Instance\InitPropertyBag	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\ShellFolder\FolderValueFlags = "41"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\Instance\InitPropertyBag\Attributes = "17"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\DescriptionID = "3"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\imageres.dll,-184"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\Instance	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\ShellFolder	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\ShellFolder\Attributes = "4034920525"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\ShellFolder\SortOrderIndex = "0"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\DefaultIcon	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\InProcServer32	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E4DF3F1-F946-7646-F946-7646F9467646}\InProcServer32\ThreadingModel = "Both"	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4848	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4848	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4544	4848	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe	86
PID 4848 wrote to memory of 4544	4848	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe	86
PID 4848 wrote to memory of 4544	4848	22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22fff196938a30bb39ecc739eedc30d4_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\Crack.exe
  C:\Users\Admin\AppData\Local\Temp\Crack.exe
  2⤵
  - Executes dropped EXE
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
9KB

MD5
c3f30f359c69048f558f10099afc62f2

SHA1
14ba1c37658355341b4c1e3f43d4cdc0936e33da

SHA256
fba1dbd8aff0907dde569e495dae39029532e867603be2086b8dd70869215746

SHA512
232e29a271e68af8c7a6c1e919e00b7cde4424a97372efbc3a2ef80322afc59618d66800aba199db90cc93c33b4fef10d17a9d481762572a494e2bcec0922baa

Download Submit
memory/4544-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4848-0-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4848-7-0x00000000026A0000-0x00000000026E7000-memory.dmp

Filesize
284KB

Download
memory/4848-2-0x00000000026A0000-0x00000000026E7000-memory.dmp

Filesize
284KB

Download
memory/4848-10-0x00000000026A0000-0x00000000026E7000-memory.dmp

Filesize
284KB

Download
memory/4848-16-0x00000000026A0000-0x00000000026E7000-memory.dmp

Filesize
284KB

Download
memory/4848-18-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4848-22-0x00000000026A0000-0x00000000026E7000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing