c166b001da3f350bf82b07bd66d5900fb35220778b8c4db388e80a1352183cf4

General

Target

30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Size

1.2MB
MD5

30463df4b729bfab25383b9cff41e90c
SHA1

3c8eb2138a3d256f4198b0bf8ec0f17b1e4f7b5c
SHA256

c166b001da3f350bf82b07bd66d5900fb35220778b8c4db388e80a1352183cf4
SHA512

e91f16a50a890e4a1552f018373ddc268faa26502cd2a7d166deff75ec7f08e0240d808a03506b4ada023b5b1799a38dce1f71ddbf9f71c55bd22f0307aafa1b
SSDEEP

24576:HGuOe3ojhhxFE1wLVzeCJSU/ecV7sD+qfFt74vutFoI9Wl0:HQe3oPsR85VmDt7kuzFa

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\ProgID	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\Version	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\InprocServer32\ThreadingModel = "both"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\InprocServer32	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\VersionIndependentProgID\ = "PLA.TraceSession"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\LocalServer32	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\ProgID\ = "PLA.TraceSession.1"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\Version\ = "1.0"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\AppID = "{03837503-098b-11d8-9414-505054503030}"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\TypeLib	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\VersionIndependentProgID	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\ = "TraceSession"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2896	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2896	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Token: 33	2896	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2896	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2896	2876	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2896	2876	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2896	2876	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2896	2876	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2896	2876	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2896	2876	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
383B

MD5
ef2615d7267e6c2fdad8fce8d7aea66c

SHA1
22013afab2b0079e0c36351d728744e670bfe274

SHA256
bef0eb4cce6f29c582ac88e108178787071aad57dd8b195c228a65aa4c4cfb42

SHA512
dae889ee41c88211e8247be0b3912dee3a0f32e1cf6fdcd51817a0350dce904ad4fbc3ef248ea48f38a263dbfaefc3f97956a74bca1db2311b68d8e29b740762

Download Submit
C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
865B

MD5
df985de0daa297e1e3269ae1fd738b60

SHA1
6bad584ad3b1533cbf50ca0a6a1b9392d560d079

SHA256
b8b85374089e1129a45419361e24afcfa21efd915d9109d41bcee9b82f50d84d

SHA512
f64888f9ee61dab45a464c44c0062f440abfa1d37c75f29a5dee2ee2786764714be7bae1660c273f17fa81f0ea29cbff47e2a23a0c22390a7bea59154cec2114

Download Submit
C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
1KB

MD5
d7d51b21d9e472200682899f3955fb37

SHA1
8df386a2710b911639b2efd3ba431fa5017160dc

SHA256
60fe83566acb5d77f4591ac57caff9d2289f5ff1181da0eda628615f88ccd5d1

SHA512
edad136b4b17ec83252482da6fd7e626ea5d0dbbb753d1cd5952b1ffb3a4cc28dc564c484258c869c597a5fa0e9ca787e30553205606b5480e3dedf12d958d8a

Download Submit
C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
2KB

MD5
13e1d180792277301cf2be6752e3816b

SHA1
2af1f085c87b3cd525850941ac5c08074dc229b6

SHA256
4a125f1c70fffc9791a6321ad846318dea960974330e67b255c2a87737522e2d

SHA512
4fb3f832e9f0b6d8d26e02179e8ca0e401e16c672358d2e84854ed4788533fc58c0388f82afea471c36e613cbf155f4df5d694ce776662c18cd1b7b4fe7340a6

Download Submit
C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
2KB

MD5
9546b2acaa57bc22969192bb5a9f830a

SHA1
8cc968b6bc9275209bfb49db1210991701ff0eaa

SHA256
55f159528bce08d7725cae16f419f9a8292d6f00f674b5adc27f5d7f60f8c42a

SHA512
a1fc5db8161645e076c15ceaaa2cc2be5da6c1400c5a082bdf842922a522429a57cd8e09ea4c3b37e051338c345cc8723057248bb2e5c521fa3651df1d602a81

Download Submit
memory/2876-1-0x0000000002660000-0x00000000028ED000-memory.dmp

Filesize
2.6MB

Download
memory/2876-83-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2876-0-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-14-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-15-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-3-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-16-0x0000000000260000-0x00000000002B6000-memory.dmp

Filesize
344KB

Download
memory/2896-4-0x0000000000260000-0x00000000002B6000-memory.dmp

Filesize
344KB

Download
memory/2896-2-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-10-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-13-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-54-0x0000000000260000-0x00000000002B6000-memory.dmp

Filesize
344KB

Download
memory/2896-12-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-80-0x0000000000260000-0x00000000002B6000-memory.dmp

Filesize
344KB

Download
memory/2896-9-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2896-82-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing