34bb066c4f4feaa414d2202f4cca89c994e5e3afa237fab3d2b385e4b83875ed

General

Target

4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
Size

4.2MB
MD5

4b11a5f7e36b77fc4bd00d6d1b1df5d5
SHA1

39582cd5b91872ebb8b49984d66f1addcf56a3d7
SHA256

34bb066c4f4feaa414d2202f4cca89c994e5e3afa237fab3d2b385e4b83875ed
SHA512

f8f790531137d94b6d744eca37ba61c7e5806ac123caced7794e7569a5c6d961f6613c698d2389af7172a2f882c42b85974727705e5e1fa52a68cc3105af96f3
SSDEEP

98304:Z9b2yizTJsi8WYcybN1QuD6pl3GaYynHhnwTFPC2TD52:7iy2JA3HN1B4l2avB6J2

Score

7^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015d34-12.dat	acprotect

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MY IDS NEW CAMFROG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MY IDS NEW CAMFROG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MY IDS NEW CAMFROG.EXE

Executes dropped EXE 2 IoCs

pid	Process
2752	CAMFROG_BOT_SETUP.EXE
2744	MY IDS NEW CAMFROG.EXE

Loads dropped DLL 7 IoCs

pid	Process
1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
2752	CAMFROG_BOT_SETUP.EXE
1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
2752	CAMFROG_BOT_SETUP.EXE
2744	MY IDS NEW CAMFROG.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CAMFROG_BOT_SETUP.EXE	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MY IDS NEW CAMFROG.EXE	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00080000000120ff-4.dat	nsis_installer_1

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MY IDS NEW CAMFROG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MY IDS NEW CAMFROG.EXE

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	MY IDS NEW CAMFROG.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2744	MY IDS NEW CAMFROG.EXE
2744	MY IDS NEW CAMFROG.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2752	CAMFROG_BOT_SETUP.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2752	CAMFROG_BOT_SETUP.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2752	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2752	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2752	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2752	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2752	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2752	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2752	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2744	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2744	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2744	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2744	1620	4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe	31
PID 2744 wrote to memory of 1116	2744	MY IDS NEW CAMFROG.EXE	20
PID 2744 wrote to memory of 1116	2744	MY IDS NEW CAMFROG.EXE	20
PID 2744 wrote to memory of 1116	2744	MY IDS NEW CAMFROG.EXE	20
PID 2744 wrote to memory of 1116	2744	MY IDS NEW CAMFROG.EXE	20
PID 2744 wrote to memory of 1116	2744	MY IDS NEW CAMFROG.EXE	20
PID 2744 wrote to memory of 1116	2744	MY IDS NEW CAMFROG.EXE	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b11a5f7e36b77fc4bd00d6d1b1df5d5_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\CAMFROG_BOT_SETUP.EXE
    "C:\Windows\system32\CAMFROG_BOT_SETUP.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\MY IDS NEW CAMFROG.EXE
    "C:\Windows\system32\MY IDS NEW CAMFROG.EXE"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst8356.tmp\ioSpecial.ini

Filesize
700B

MD5
5740a5852ea8553527b428f364703814

SHA1
90b5e50684c17292810caa55665c8ff100cbec4a

SHA256
68fdb7528c886135ae9424d0a3c56134ced7542afec3bad9a7064467b605704b

SHA512
23b2fbb3767826600a008c264fc825bb9cb6adf86aee82ce41e45a8da2b7e76f1e4ad98ad4b539d5d29d06f5075624633031c29527b754076d7944a9692dd698

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8356.tmp\ioSpecial.ini

Filesize
739B

MD5
5985e3991f2e3b3905946cd12692709f

SHA1
7bbb1fe5245f7a5f567bb01a5d77f3045933a659

SHA256
775dc4b06d6b794dafe3b79093a4beaab8dc8b61d3ef09d88739f26ae042464c

SHA512
a89f07c5c986fbea326a197f8ff3a60a810f7a2b6651ff69022cad18b6e0e43237cd90342581e8b3f2ee71e66ac75b130005a6e0202778d5c85ae3996a39bc6e

Download Submit
C:\Windows\SysWOW64\MY IDS NEW CAMFROG.EXE

Filesize
313KB

MD5
4004952ef9cf6b50df81dab7d0794836

SHA1
cc0a8ead3ad17bb016281a99a025fb87d197221e

SHA256
0f3448817e1e21b9d4fc16af84f87e3ecf2feab84c0942e32df0a35e0ed3fa19

SHA512
0d1195ecd4d05fbc977699cd4bb758ef4cd76d1df7ccce372f6dc746e9bd875919c6ca13618d3e80b096646ce1392cedf9db15064fdd28652cf3e22816e6b9b7

Download Submit
\Users\Admin\AppData\Local\Temp\nst8356.tmp\InstallOptions.dll

Filesize
14KB

MD5
265aa21c1e266da48375da24735edac5

SHA1
fd1a1ad8eb4d2ec164709bea1bc6d49a8a6b9e58

SHA256
d6a1542f6e05f73828e0d4e97235665ec706025d39de321dcb85ab78ad838536

SHA512
a2b4c66639504be4bad19346b5ac75eb992346e583c82071c9b7f23beb7252c61c553d71d3289a4d9735964a5e5907fa12e2d382352d7b5974959a78aaf969b1

Download Submit
\Users\Admin\AppData\Local\Temp\zml81FC.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Windows\SysWOW64\CAMFROG_BOT_SETUP.EXE

Filesize
1.7MB

MD5
5df0b89cb10caed962a868a6190bf848

SHA1
b6cb55e068dd2f67f04e7b7d68589e421821f285

SHA256
8b079bdd96fd5e02b91a5ff3a04bd013277525ed6804f1ae7b33ac72bafbc30a

SHA512
f57b21e3ed956e2ef412f26203d2577efca4cec1864139cece58a6c6c88866fe352d60a2b8e7d9143f5dfdb7335fc5439169b6d98dea207f818bca959ad8d124

Download Submit
memory/1116-123-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1116-116-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1620-29-0x0000000000400000-0x0000000000D9F000-memory.dmp

Filesize
9.6MB

Download
memory/1620-26-0x0000000003630000-0x00000000036A3000-memory.dmp

Filesize
460KB

Download
memory/1620-1-0x00000000029C0000-0x0000000002AD0000-memory.dmp

Filesize
1.1MB

Download
memory/1620-30-0x0000000003630000-0x0000000003663000-memory.dmp

Filesize
204KB

Download
memory/1620-0-0x0000000000400000-0x0000000000D9F000-memory.dmp

Filesize
9.6MB

Download
memory/1620-27-0x00000000029C0000-0x0000000002AD0000-memory.dmp

Filesize
1.1MB

Download
memory/1620-7-0x0000000003630000-0x0000000003663000-memory.dmp

Filesize
204KB

Download
memory/2744-114-0x00000000021E0000-0x0000000002253000-memory.dmp

Filesize
460KB

Download
memory/2744-51-0x00000000023B0000-0x00000000024C0000-memory.dmp

Filesize
1.1MB

Download
memory/2744-35-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/2744-134-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2744-137-0x00000000021E0000-0x0000000002253000-memory.dmp

Filesize
460KB

Download
memory/2744-138-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/2744-139-0x00000000023B0000-0x00000000024C0000-memory.dmp

Filesize
1.1MB

Download
memory/2752-15-0x0000000000340000-0x00000000003B3000-memory.dmp

Filesize
460KB

Download
memory/2752-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-140-0x0000000000340000-0x00000000003B3000-memory.dmp

Filesize
460KB

Download
memory/2752-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-147-0x0000000000340000-0x00000000003B3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads