cae3f718ca64811023558124f9f9913855993ebcde0f83eeed30deb4cc38d8f4

Analysis

max time kernel
136s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
Size

403KB
MD5

a8722e32e7e7239c3214487614b29f42
SHA1

6e9f2ceef003129dd85e61356cd6100ba3ce708f
SHA256

cae3f718ca64811023558124f9f9913855993ebcde0f83eeed30deb4cc38d8f4
SHA512

96321284e4fb8296da525b9d000cfcefaf42174148fe522b58c3c13789a3993d1e338e763a10bfb1a8724c93218284ee52378295daee6ae1d3075e6adda81e50
SSDEEP

6144:E6zETtD/bvk2JH4A53RjrsNUGIl9VuJUo7tyx8i03KWTNKgvf:E5TZbRH4axQNUGIR7o7QP4

Score

8^/10

discovery evasion trojan vmprotect

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\PktMon.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\sbp2port.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\tsusbhub.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\BthA2dp.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\vhf.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\bcmfn2.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSSi_I2C.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\BthEnum.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\buttonconverter.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\vsmraid.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\BTHUSB.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\hvservice.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\portcfg.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\winnat.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Drivers\Beep.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\spaceparser.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DRIVERS\wdiwifi.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\winverbs.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\3ware.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\BTHMINI.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\SmartSAMD.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\flpydisk.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DRIVERS\rasacd.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\ucx01000.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\wmiacpi.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\appid.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\iai2c.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\ipnat.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\MTConfig.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DRIVERS\ramdisk.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\netvsc.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DRIVERS\scfilter.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\terminpt.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\udecx.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\xinputhid.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\intelide.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\isapnp.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\qwavedrv.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\SpbCx.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\storufs.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\applockerfltr.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\dmvsc.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\ibbus.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\Microsoft.Bluetooth.AvrcpTransport.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\sisraid4.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\1394ohci.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\amdxata.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\EhStorTcgDrv.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\bttflt.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\pnpmem.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\rhproxy.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\Synth3dVsc.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\winmad.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\asyncmac.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\iagpio.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DRIVERS\ipfltdrv.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\MSKSSRV.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\tunnel.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\ipt.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DRIVERS\nwifi.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Drivers\UcmTcpciCx.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3532-0-0x0000000000400000-0x00000000004AC000-memory.dmp	vmprotect
behavioral2/memory/3532-2-0x0000000000400000-0x00000000004AC000-memory.dmp	vmprotect
behavioral2/memory/3532-5-0x0000000000400000-0x00000000004AC000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3532	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
3532	a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8722e32e7e7239c3214487614b29f42_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3532-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3532-2-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3532-3-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3532-5-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3532-6-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download