a2b99bc286042b301692432559d915a6e8ae19f143afb9f91e6e5c51445ad925

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
Size

1.2MB
MD5

c76530899637831fd1ec3f281fda195a
SHA1

207445fe509e567da3b3de081fc5e5334b2d77b2
SHA256

a2b99bc286042b301692432559d915a6e8ae19f143afb9f91e6e5c51445ad925
SHA512

fe933b0c19027e6a7fec65e9da04a3902db3509157c0b471289b13e1eab4d8f34776e78012210e8d1addeb52ed925b0136305c2aaaf761c8eed8b188562f3833
SSDEEP

24576:NhtOJF7fjodcrAh2LbBa4QhdvdL6sgMUQhG+oomy0r0DO/:NLO3LjouAh2LbOLdLAqooE

Score

9^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	209.81.91.69
Destination IP	66.238.94.253
Destination IP	208.255.120.34
Destination IP	162.27.34.248
Destination IP	63.146.191.180
Destination IP	63.163.55.51
Destination IP	204.126.127.122
Destination IP	188.40.76.130
Destination IP	169.146.191.18
Destination IP	209.145.176.20
Destination IP	63.87.170.8
Destination IP	207.170.7.6

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
3564	c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c76530899637831fd1ec3f281fda195a_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
0c5c3e9e686d78fa926ba45cb2bb404a

SHA1
ccd013fbae327a20b041495012f5270f7e0c689f

SHA256
b393cbbe6e7633160e00af8eb761e9de9adaf0cc33b4608309810bc238e8e9b2

SHA512
7136a41cdbafb7c2b426f7efe004ed2033700eeb60b00d0a30b21281c0050452bad782bff7477db09bf577b749addd0b4eea4d79f4bbd88d7743af8de5bff12b

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
0b2e42fb9c653462ea8214ed36e618f0

SHA1
95369153d724450ef782c1c3b0702a888ac43ee6

SHA256
ec781daf1060d46a58a337208911f405593302dc01653984398497e04c91105a

SHA512
3bad45125def4bf562c8116d2392b69e452e225758d6564799c2069a745d8c4a01256efb1149a67f45fcc87148e6e539bfc71167ec311446433998e0b965e054

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
3507fd0d8cffe3902b860c08998f0061

SHA1
9c81c731ef8f3b268e56af4110a58572ff6ae933

SHA256
9433b66832e932b85943db2348f9987fdb423b7aaea32d130eb7958e877834ae

SHA512
3929232c93f3fa3c3d26f3ab49108e373cce5073e14cdd94109aa243ca096581069c9dd470f2e270c58f29ffed28710cdea0fc569a13b7e2852b18f3185b162b

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
55831e8d5df863caf8b13730b3a2eb50

SHA1
fa8ce68f7a9a4d242eb60e54ddad194d44018218

SHA256
f5189d688296639e76cd25a5f2c3842267e4675934ce38bb54173c822012406f

SHA512
a11f94e4866cf29354d5c9bf2af24d8cad6b70fd1e06b2cd1fa94970b5a2b5dc4a07940322971aefaf41d85b96b30bc92a8ceb13b1aa7638e15cd21cade82478

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
9e0602211807a6b08d0030ed3ce51aba

SHA1
51a170006d62d0eb9d7b13becd008c30474f8822

SHA256
810fc89afc6906a84a3d7946496eabbd07d6bf384772a409ba183baa128fd907

SHA512
65bd01bea2c78399e979234c5f475da764c7aa382bf92a7973685ac5997a72d6c4599dfbac37db2db35c0213e047114c620bd657c23a42a4463c93d93422a73e

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
332b9c48ca6cf17854af055c45a54a9a

SHA1
e6ee85bc2e3de6bef893a426972ba0fda143032e

SHA256
2a6d64c2838fd5d806f7351a61a57b98a3c57af8b3235b14f9db49c135c4ac2d

SHA512
167e3f9507e9484a1adb847f1e858d8728ed89b98ff2c3435e24f02f354c60e2e20d79128983825060ecef9867c62a36dc6837d150330c2854a62dd3c6f49bca

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
48097b6149b1469459b129937ad35508

SHA1
c1db61b311b4af025a6bcd4b5f41ab70a1bede29

SHA256
41c0e57cb1026b183e317ecd530bbe1e19abd9eb012aaeca0a161038d663cd3c

SHA512
7dbe6d83c55dd61876035fe2707de1000d3bdf5a5b1e7ce5045489224be5d5f4a83501ed618e619dd2d4e04fe787fb6095663b193b56a30850659e451831b67f

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
62a88a3cbb6a29c1b8cdfe54f8e0e94e

SHA1
e79921203d75b07888cc74ba0f354b6a263a2562

SHA256
01f0d044a88c3718043ce84e9ce2aa5d9fe12c3587717441fdb1ffb3bc794786

SHA512
435851a33af635fbf2d32df47844aa96cc2bda81b0262c60abef67d6eaa32aab980256dd43009f1956ca4dd87324d668906a78374a91f5ef8ee5ba023b1823c6

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
0ae7284ef2a3ee00d76d9a84698d221b

SHA1
dc7e71ca911d07e3d2cbebfa68a0f24d32d0f032

SHA256
f66792ea796bfd331634bca5aa174d144800c21f15e321c1832886eb5fc5c43d

SHA512
c129cf2d3152e73411fb2bb1e9cfed7173e3536b6d928e2d8c29c6b8904244aae47e7ebe4e993ac579048c09abd4ed29535d8f2361d588f72bdcd774445c76aa

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
cea7217e2c26822fd40d74b5bf3886e0

SHA1
db9eaea876f40689830b2d778dd65f27d86c8a06

SHA256
4248f017fa8e003dceb8bebe673a8fd425ec0a3c3849cb4cb6a9214e195b9f13

SHA512
a2b0956a67684f318a9e2d26af6cf6b118b2a8ffb34ec23aabe96d515da4f57fe0449e1803979844f9c6d358fb23c4fe610866a7d615bbfa340e14f1f08480ca

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
6c6e50d0b79cfc1d9e95a93a7899c426

SHA1
01dda11a99b630a1e108b9764eb7b6f1ca511c8e

SHA256
9e63895758ccbede5d977e0c34f61cd0cc4c51157dfae25755a8edd9f68d420e

SHA512
7b132e5f10ff0e2c9ec6e730e3de9d4dd9a56252744e658d118800303e3def7c3b4bdbfc9f354010df44d7944d4e74b68eef4cf833ccb8bf89599714feb91c94

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
2dd57602b0d35ed4e5126e43b9968168

SHA1
fa99539a44ae99a849157f46c2e52e16af47c19b

SHA256
694ee670482afb19065d28ba54c21fde9985120b515aabb52e7582cfe4383cc0

SHA512
6bfad0d3aee1c811a7ba79bf5d488724c67b01bae57d282fec4531f9a2da3e37027360dffdb2249a4462248a0e7c9e0f9256355e293689d7abb1b9b3d56c4c60

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
9819b0c5eb9e52d47e41ee826eef5bd7

SHA1
20687bb87e845b67da101a31d7040afa8fdaca6e

SHA256
667d0bd8a8d71debf7c6b28dd70fc21d87f91d1255e7486c2f366ffc7fcb3fbd

SHA512
34f5cf031e344ac68bdb20d6ba68a874a389c7a51e93fd2cc8426f82d997dc91a303212bacf280b09708c3e9b42b8bd639af8b7c9d0f2b278ca3ef740bac0d08

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
86c45b7b8440e3f702f640232f3beddc

SHA1
bbadad03b1eac088b40783d787ca124b3e46937d

SHA256
83202a1ecefd3755c98628921ee482816153ad651b30c3a3b4fd9826b005dcd5

SHA512
fccafa02adff387a953e7bb9110c4be8dd54433f4d8defdc8ed59f220454d60b3e1834e5f8aa650f031c43c055c3d1a86b17e1765191a19e5f52351b5ab7b033

Download Submit
C:\Users\Admin\PUTTY.RND

Filesize
600B

MD5
82bd97f069953dfcbc297f4e36f59f7a

SHA1
763106d0004a69cb46979c3dd156bfb0609a1d05

SHA256
f0503ef0bdc5dc59ddefb2fdb5eaa8ef4b15c3fbbf1bf92cb547c77f9ba82454

SHA512
b06ef66f5190d759d343b82fdb9a277210c561b40f39687e26eb882715c41b58e3e22e4f40068b6b2bababbb97c1bb1675e663f25fc1c7b1726f22cf97b19b2e

Download Submit
memory/3564-19-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-46-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-21-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-22-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-23-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-24-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-25-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-26-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-27-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-28-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-29-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-30-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-31-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-32-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-33-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-34-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-35-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-36-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-37-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-39-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-41-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-42-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-45-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-20-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-47-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-48-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-49-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-0-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-18-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-102-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-17-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-16-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-15-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-14-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-183-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-13-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-12-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-264-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-11-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-10-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-345-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-5-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-4-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-3-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-426-0x0000000000400000-0x0000000000AA2000-memory.dmp

Filesize
6.6MB

Download
memory/3564-2-0x0000000000401000-0x0000000000462000-memory.dmp

Filesize
388KB

Download
memory/3564-1-0x0000000077364000-0x0000000077366000-memory.dmp

Filesize
8KB

Download