Overview

overview

9

Static

static

3

4347eafdcd...18.exe

windows7-x64

9

4347eafdcd...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4347eafdcd295a05714d41efc28064eb_JaffaCakes118.exe

  • Size

    4.1MB

  • MD5

    4347eafdcd295a05714d41efc28064eb

  • SHA1

    cedee6230ac0c57683f45777226a1ccaff47058e

  • SHA256

    0ef30e4a7e49d74a85b0e3239be5fe98a1654b6da32524cd8e7add3a309bee74

  • SHA512

    92eb3ac48c6309d30a4189a9e5bf23f52f0e5d428593d67110c2bcf0efa224836e19d0927dbf1a00ade224e7b7bb7217ad50258cc47d29f6dfaf8a18f78c3260

  • SSDEEP

    98304:S7EU81K5h3tw0GLlziLpcBKe7cj515qBegECrG:aEU81St2Zzi5bYB/i

Score
9/10
evasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4347eafdcd295a05714d41efc28064eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4347eafdcd295a05714d41efc28064eb_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      PID:4900
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\17. Cesar e Alessandro - Eu Amo Meu Pinscher.mp3"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:368
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\4347eafdcd295a05714d41efc28064eb_JaffaCakes118.exe"
    1⤵
    • Modifies registry class
    PID:4180
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x50c 0x4b0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\17. Cesar e Alessandro - Eu Amo Meu Pinscher.mp3
    Filesize

    3.2MB

    MD5

    d13efa485248d8dd8b63599e473b3c93

    SHA1

    1ee550d3f9822a752f7ea44794dceff1a4feec5c

    SHA256

    223b776acd5c48c286d0f0aaa62eb37ae4a95257f5c4c952e2fc437295ceb41b

    SHA512

    c6f582247aedbb917b76c0f4e1984e0ec52d383d5322d03522afdcdc10034ae75973077610dbc2d5b641548f3e880b9357106b5d1a99b5ca9aedd5a07091a583

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    896KB

    MD5

    fda43e7828a682db1aa20937e6b87a66

    SHA1

    8dfad9ba9e3aa22d8147b95bbe813bff93c1c892

    SHA256

    805013b887ab45861137a72d141ed21e7825d803d992bef006036a87f0859c37

    SHA512

    8d7fc765bdeb10fc4c318154d2140ca581cec2fab43bc206cc5a104f539de3f6f2be47428c06132cc52468c30753e32860c3886b0a153fa9722c0316082157e4

    Download Submit

  • memory/368-29-0x00007FFE4DA00000-0x00007FFE4DA17000-memory.dmp

    Filesize

    92KB

    Download

  • memory/368-27-0x00007FFE51AD0000-0x00007FFE51AE7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/368-23-0x00007FF7333D0000-0x00007FF7334C8000-memory.dmp

    Filesize

    992KB

    Download

  • memory/368-30-0x00007FFE4D9E0000-0x00007FFE4D9F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-32-0x00007FFE4D9A0000-0x00007FFE4D9B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-31-0x00007FFE4D9C0000-0x00007FFE4D9DD000-memory.dmp

    Filesize

    116KB

    Download

  • memory/368-33-0x00007FFE3E540000-0x00007FFE3E74B000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/368-34-0x00007FFE4D950000-0x00007FFE4D991000-memory.dmp

    Filesize

    260KB

    Download

  • memory/368-53-0x00007FFE3D490000-0x00007FFE3E540000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/368-25-0x00007FFE3E940000-0x00007FFE3EBF6000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/368-28-0x00007FFE4DA20000-0x00007FFE4DA31000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-24-0x00007FFE4DAE0000-0x00007FFE4DB14000-memory.dmp

    Filesize

    208KB

    Download

  • memory/368-26-0x00007FFE57340000-0x00007FFE57358000-memory.dmp

    Filesize

    96KB

    Download

  • memory/368-40-0x00007FFE4D740000-0x00007FFE4D751000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-39-0x00007FFE4D760000-0x00007FFE4D771000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-38-0x00007FFE4D8E0000-0x00007FFE4D8F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-37-0x00007FFE4D900000-0x00007FFE4D918000-memory.dmp

    Filesize

    96KB

    Download

  • memory/368-36-0x00007FFE4D920000-0x00007FFE4D941000-memory.dmp

    Filesize

    132KB

    Download

  • memory/368-35-0x00007FFE3D490000-0x00007FFE3E540000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/4900-10-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/4900-59-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download