447e7a59fdcc475e488b8b914537f7bbd35a9bb504d98aa608e7110d048f9a39

General

Target

36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Size

616KB
MD5

36960c224046b66cff9a241fbc004ce3
SHA1

2ec1e1c9331cbeb451a184c79df8146c3a7c31c2
SHA256

447e7a59fdcc475e488b8b914537f7bbd35a9bb504d98aa608e7110d048f9a39
SHA512

337eccd5a7e727e43698af03c6a4fbcc872f0fd794a9b7a376adbaa0489626bc8e1b230c68b04184a52f1dae36acdbae5b53ce1cf33d046246909c554088cf59
SSDEEP

12288:yngP0qvihZ/0jygniOogJV/35C0XPNNH0FujDgt5plQs2MXCX+3rJJKb:LvihZYXlNX1R0FuwLVfLrw

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\InprocServer32\ThreadingModel = "both"	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\ProgID	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\VersionIndependentProgID	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\InprocServer32	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\InprocServer32\ = "%CommonProgramFiles(x86)%\\System\\ado\\msado15.dll"	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\ProgID\ = "ADODB.ErrorLookup.6.0"	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\VersionIndependentProgID\ = "ADODB.ErrorLookup"	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3276B48-53CE-0999-D7C7-E343217A8D0C}\ = "ADODB Error Lookup Service"	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2688	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2688	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Token: 33	2688	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2688	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2688	2680	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2688	2680	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2688	2680	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2688	2680	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2688	2680	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2688	2680	36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\36960c224046b66cff9a241fbc004ce3_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2680-0-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/2680-1-0x0000000002A00000-0x0000000002FDE000-memory.dmp

Filesize
5.9MB

Download
memory/2680-12-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/2688-2-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/2688-3-0x000000000096D000-0x000000000096E000-memory.dmp

Filesize
4KB

Download
memory/2688-4-0x00000000009E0000-0x0000000000A36000-memory.dmp

Filesize
344KB

Download
memory/2688-9-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/2688-10-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/2688-11-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing