Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 15:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe
Resource
win7-20240705-en
10 signatures
150 seconds
General
-
Target
63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe
-
Size
432KB
-
MD5
63aed92ceccf6514098ba33e643fa903
-
SHA1
596be6d69a6c0eebcc1281d3a191104ba1416d22
-
SHA256
5aef3519c7815eb14cad402be02941092a90eb4d1f27d76584c968ba187822b3
-
SHA512
9f86234f1f63a2cc30b1b0f8e13088cbac740b9083a8d2848275e96096b57890722b88459a353bb2081162428269ea956c9b51786435c966793e9326be25a7d1
-
SSDEEP
12288:UmeVQkTrvj43tCLU/rciX8Dl6L8wLX0ePjRWAdNH/G:UTQkTf4dCwgiulJCAmHO
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
resource yara_rule behavioral2/memory/60-58-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-65-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-63-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-62-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-57-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-56-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-67-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-69-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-70-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-72-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-74-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-75-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-76-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-77-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-78-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-79-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-80-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-81-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-82-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-83-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-84-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/60-85-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2860 set thread context of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 60 vbc.exe Token: SeSecurityPrivilege 60 vbc.exe Token: SeTakeOwnershipPrivilege 60 vbc.exe Token: SeLoadDriverPrivilege 60 vbc.exe Token: SeSystemProfilePrivilege 60 vbc.exe Token: SeSystemtimePrivilege 60 vbc.exe Token: SeProfSingleProcessPrivilege 60 vbc.exe Token: SeIncBasePriorityPrivilege 60 vbc.exe Token: SeCreatePagefilePrivilege 60 vbc.exe Token: SeBackupPrivilege 60 vbc.exe Token: SeRestorePrivilege 60 vbc.exe Token: SeShutdownPrivilege 60 vbc.exe Token: SeDebugPrivilege 60 vbc.exe Token: SeSystemEnvironmentPrivilege 60 vbc.exe Token: SeChangeNotifyPrivilege 60 vbc.exe Token: SeRemoteShutdownPrivilege 60 vbc.exe Token: SeUndockPrivilege 60 vbc.exe Token: SeManageVolumePrivilege 60 vbc.exe Token: SeImpersonatePrivilege 60 vbc.exe Token: SeCreateGlobalPrivilege 60 vbc.exe Token: 33 60 vbc.exe Token: 34 60 vbc.exe Token: 35 60 vbc.exe Token: 36 60 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 60 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84 PID 2860 wrote to memory of 60 2860 63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63aed92ceccf6514098ba33e643fa903_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:60
-