0b6d15238b5a7e3d580e24871495019c2186149b3d7dbe2d9bf0668ed50749d0

General

Target

40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe
Size

815KB
MD5

40688d57a661fd9fb32ef00b760777d2
SHA1

c6bffc1e1d1416357017d38ff9a2bc04d87ce125
SHA256

0b6d15238b5a7e3d580e24871495019c2186149b3d7dbe2d9bf0668ed50749d0
SHA512

990e1004d488fabf0b0b72172f1bf1f41c6df48277703f363f891ad21bef8de6a9ad8fa69f53c55825d16df68eabcc0896319d2cde7d670c312d252cf5cbf5e5
SSDEEP

12288:IE3YeiDFvZrO2tN/x2Gy7+5dmhMsiHAmZ6QG9WIBwXwprnkFtEI4IAH43PorUPnV:cvI2RryuLjZMWuw0rka4/o4SNid

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	znaxxx.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	znaxxx.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	znaxxx.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\znaxxx.exe	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\znaxxx.exe	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2672	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe
2696	znaxxx.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2672	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe
2696	znaxxx.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2672	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2628	2672	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2628	2672	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2628	2672	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2628	2672	40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40688d57a661fd9fb32ef00b760777d2_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\40688D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

C:\Windows\SysWOW64\znaxxx.exe
C:\Windows\SysWOW64\znaxxx.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\znaxxx.exe

Filesize
815KB

MD5
40688d57a661fd9fb32ef00b760777d2

SHA1
c6bffc1e1d1416357017d38ff9a2bc04d87ce125

SHA256
0b6d15238b5a7e3d580e24871495019c2186149b3d7dbe2d9bf0668ed50749d0

SHA512
990e1004d488fabf0b0b72172f1bf1f41c6df48277703f363f891ad21bef8de6a9ad8fa69f53c55825d16df68eabcc0896319d2cde7d670c312d252cf5cbf5e5

Download Submit
memory/2672-0-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2672-1-0x0000000077A50000-0x0000000077A52000-memory.dmp

Filesize
8KB

Download
memory/2672-3-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/2672-4-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-14-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-18-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-8-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-10-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-11-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-12-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-13-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-6-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-15-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-16-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-17-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-7-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-19-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-20-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-21-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-22-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-23-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-24-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-25-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-26-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-27-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/2696-28-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads