c166b001da3f350bf82b07bd66d5900fb35220778b8c4db388e80a1352183cf4

General

Target

30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Size

1.2MB
MD5

30463df4b729bfab25383b9cff41e90c
SHA1

3c8eb2138a3d256f4198b0bf8ec0f17b1e4f7b5c
SHA256

c166b001da3f350bf82b07bd66d5900fb35220778b8c4db388e80a1352183cf4
SHA512

e91f16a50a890e4a1552f018373ddc268faa26502cd2a7d166deff75ec7f08e0240d808a03506b4ada023b5b1799a38dce1f71ddbf9f71c55bd22f0307aafa1b
SSDEEP

24576:HGuOe3ojhhxFE1wLVzeCJSU/ecV7sD+qfFt74vutFoI9Wl0:HQe3oPsR85VmDt7kuzFa

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\ = "Registry Data Driven Command"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\InProcServer32	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windows.storage.dll"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2D0E164C-1C7A-2418-4D8D-1993EA55F31C}\InProcServer32\ThreadingModel = "Apartment"	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
516	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
516	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
516	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	516	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	516	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Token: 33	516	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	516	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 516	3952	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	84
PID 3952 wrote to memory of 516	3952	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	84
PID 3952 wrote to memory of 516	3952	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	84
PID 3952 wrote to memory of 516	3952	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	84
PID 3952 wrote to memory of 516	3952	30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\30463df4b729bfab25383b9cff41e90c_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
383B

MD5
53056027c95ac77f00d5cb0a05da50cc

SHA1
88a5f4f02a6a3c6ba47e0d8f7ba577d8a8cab048

SHA256
22b8a3d4c8361cddf8b4bd6baa66a3c3656fc261d3d673735e7dc5156aa95052

SHA512
cdadb37f1824a9e775b217d42cf848e42c2b57d0fe60717a05066e54af032f8e6e2537680bd56bc2fb289a34be630f15da5dcb08990f5528bab738aa56db10ce

Download Submit
C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
1KB

MD5
2b38c048d8bf8282324d9ac69fb126ea

SHA1
d992ae65abd679cd41876ae496b93e8c038e5e5f

SHA256
933fabaa90bc542df0b598754dc327dbbd493ec3c242fea65a5a429adbd384e9

SHA512
a24b637d640d25815fa20887d6c4e982677133aaca658e38859549e79a12ee3f0c9d13ead23deb52d178b60a605a3c4b693a24810a233c7787b9911e626c4e4c

Download Submit
C:\Users\Admin\AppData\Roaming\PlayFirst\dinerdashfloonthego\logfile.txt

Filesize
5KB

MD5
084d63d57d31aa303e74a3e1d430c1db

SHA1
83ae71532d59eae3adfb6578bebe1de69a4c76f4

SHA256
82d913facab349d59bfa8fa6423b55de4741cd59b08757fa2931f3e619e336b9

SHA512
3c4db71d25e9dec26360633a024f090aa75c8566d3e8b40fb82aec7b28892c37c55bdeb082b38019acae28163bca43b189544a0281190cd19a196dbf10a8af41

Download Submit
memory/516-15-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/516-224-0x00000000023C0000-0x0000000002416000-memory.dmp

Filesize
344KB

Download
memory/516-10-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/516-13-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/516-16-0x00000000023C0000-0x0000000002416000-memory.dmp

Filesize
344KB

Download
memory/516-4-0x00000000023C0000-0x0000000002416000-memory.dmp

Filesize
344KB

Download
memory/516-3-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/516-230-0x00000000023C0000-0x0000000002416000-memory.dmp

Filesize
344KB

Download
memory/516-11-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/516-14-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/516-9-0x00000000023C0000-0x0000000002416000-memory.dmp

Filesize
344KB

Download
memory/516-227-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/3952-0-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/3952-228-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing