Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
7285fe11585198388f629e081d1c0f83
-
SHA1
e68034ebf92b0d78f3c1feaaeedcf6660209df21
-
SHA256
df57bad53e8a72aad344e6cc2644fe757cf2ae0744a8c0f1c6c0caff63379203
-
SHA512
9b8179830bc7cd410562f083599a442eab65894e644da4f5e9843d419046744b3fb29a16679fed84f818d08227d8f7839d1ba21dc5d02a44737e342f3400547e
-
SSDEEP
49152:9kQ8FXrOuMlEmyUQZc36sPjMvU7PbdKJf8EWj:6Q8RDOEmySqsrQoKU
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe -
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe revengerat -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
Usermode Font Driver Host.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe Usermode Font Driver Host.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe Usermode Font Driver Host.exe -
Executes dropped EXE 4 IoCs
Processes:
GoldHaxV2.98464Bit.exeGoldHax V2.984 64 Bit.EXEWindows Security Health Service.exeUsermode Font Driver Host.exepid process 2700 GoldHaxV2.98464Bit.exe 2708 GoldHax V2.984 64 Bit.EXE 2624 Windows Security Health Service.exe 1364 Usermode Font Driver Host.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exeWindows Security Health Service.exepid process 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe 2624 Windows Security Health Service.exe 2624 Windows Security Health Service.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Usermode Font Driver Host.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Usermode Font Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Usermode Font Driver Host.exe" Usermode Font Driver Host.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exepid process 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Usermode Font Driver Host.exeschtasks.exe7285fe11585198388f629e081d1c0f83_JaffaCakes118.execmd.exegetmac.exeGoldHax V2.984 64 Bit.EXEWindows Security Health Service.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Usermode Font Driver Host.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language getmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoldHax V2.984 64 Bit.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Security Health Service.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exeGoldHaxV2.98464Bit.exepid process 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe 2700 GoldHaxV2.98464Bit.exe 2700 GoldHaxV2.98464Bit.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.exeGoldHaxV2.98464Bit.exeWindows Security Health Service.exeUsermode Font Driver Host.exedescription pid process Token: SeDebugPrivilege 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe Token: SeDebugPrivilege 2700 GoldHaxV2.98464Bit.exe Token: SeDebugPrivilege 2624 Windows Security Health Service.exe Token: SeDebugPrivilege 1364 Usermode Font Driver Host.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7285fe11585198388f629e081d1c0f83_JaffaCakes118.execmd.exeGoldHaxV2.98464Bit.exeWindows Security Health Service.exeUsermode Font Driver Host.exedescription pid process target process PID 2516 wrote to memory of 2700 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe GoldHaxV2.98464Bit.exe PID 2516 wrote to memory of 2700 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe GoldHaxV2.98464Bit.exe PID 2516 wrote to memory of 2700 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe GoldHaxV2.98464Bit.exe PID 2516 wrote to memory of 2700 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe GoldHaxV2.98464Bit.exe PID 2516 wrote to memory of 2792 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2792 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2792 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2792 2516 7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe cmd.exe PID 2792 wrote to memory of 2932 2792 cmd.exe getmac.exe PID 2792 wrote to memory of 2932 2792 cmd.exe getmac.exe PID 2792 wrote to memory of 2932 2792 cmd.exe getmac.exe PID 2792 wrote to memory of 2932 2792 cmd.exe getmac.exe PID 2700 wrote to memory of 2708 2700 GoldHaxV2.98464Bit.exe GoldHax V2.984 64 Bit.EXE PID 2700 wrote to memory of 2708 2700 GoldHaxV2.98464Bit.exe GoldHax V2.984 64 Bit.EXE PID 2700 wrote to memory of 2708 2700 GoldHaxV2.98464Bit.exe GoldHax V2.984 64 Bit.EXE PID 2700 wrote to memory of 2708 2700 GoldHaxV2.98464Bit.exe GoldHax V2.984 64 Bit.EXE PID 2700 wrote to memory of 2624 2700 GoldHaxV2.98464Bit.exe Windows Security Health Service.exe PID 2700 wrote to memory of 2624 2700 GoldHaxV2.98464Bit.exe Windows Security Health Service.exe PID 2700 wrote to memory of 2624 2700 GoldHaxV2.98464Bit.exe Windows Security Health Service.exe PID 2700 wrote to memory of 2624 2700 GoldHaxV2.98464Bit.exe Windows Security Health Service.exe PID 2624 wrote to memory of 1364 2624 Windows Security Health Service.exe Usermode Font Driver Host.exe PID 2624 wrote to memory of 1364 2624 Windows Security Health Service.exe Usermode Font Driver Host.exe PID 2624 wrote to memory of 1364 2624 Windows Security Health Service.exe Usermode Font Driver Host.exe PID 2624 wrote to memory of 1364 2624 Windows Security Health Service.exe Usermode Font Driver Host.exe PID 1364 wrote to memory of 1124 1364 Usermode Font Driver Host.exe schtasks.exe PID 1364 wrote to memory of 1124 1364 Usermode Font Driver Host.exe schtasks.exe PID 1364 wrote to memory of 1124 1364 Usermode Font Driver Host.exe schtasks.exe PID 1364 wrote to memory of 1124 1364 Usermode Font Driver Host.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Chrome Updater" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1124 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c getmac /v /fo list2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\getmac.exegetmac /v /fo list3⤵
- System Location Discovery: System Language Discovery
PID:2932
-
C:\Windows\system32\taskeng.exetaskeng.exe {8FF2FF46-EBFA-4F1A-911C-13D83DD5B12F} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]1⤵PID:3020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD56a62d4ed369105b26b6133f536160791
SHA1f9e232fb7f7316fbaafcb817235e2406ebd8db79
SHA256fb18c286d846003d2d2888749176b5b032e506eef01a44d3befe0eeed8e99f70
SHA512ea9f9e627cae6ff9204416c97c8ba2db11a14a8aead72a999159c36f8e90e6136e50aafb84d25ff8c1dc1b6ebe1304ea88d4e4bbf5a72515d59653b12c143980
-
Filesize
53KB
MD5996f495437c25b794acafc4b0f945a84
SHA1e22fb0120b9988928303323593478edad4887fa3
SHA256d063370cbe1e2d284518607c87c2bcefe02a9446bfbcdf4edf61e340f576d89f
SHA5120fe1086461e38966feec4a43efca63f7585a77ca8ed439ba8e631bc7bdfdb3b34fc3d0a9a285868b47819de80fc2686358833acec28c0eff4e6c1fbed1890d63
-
Filesize
177KB
MD576aca22cbb97f33600ac8a57643e9521
SHA17f0fbe012460ff4ed705f2002190b72f717eab8f
SHA256d8ee7da90047416960c08869a251fac032fa0f9c8bf4ebb7de6ae92cdab5853a
SHA51250d5cca22f2bb9229ab830b3783acda277716a5fe6c0c78060be727153cd1d35171cb1385dd2ad2a7b32a2c1b41fa6d954572f4843d270d8340df00744190ed0