Overview

overview

9

Static

static

1

dc5cc070ea...18.exe

windows7-x64

9

dc5cc070ea...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    129s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe

  • Size

    5.8MB

  • MD5

    dc5cc070ea662794f72b8558bddf60f9

  • SHA1

    ac7ff04ac89320a84be6f853191432a707d8181a

  • SHA256

    3863361341fb271b432545c1806ea5444408bee164e18402b7b0d153c5cd4710

  • SHA512

    152a317c81ec450a95781f74bc16563b2f9c564c3778f3b2cf9418cb7906da310647a84855d160af3069171336bb287a0b19c3d9b24038e2352762f61036ae5a

  • SSDEEP

    98304:VanGfmTCkplMq4lAyurFzSyjjksnldSQmT4PU7MHT4PU7M9gN/YhGdwf:VanjALurZSyS/gN/IGOf

Score
9/10
discoveryevasionspywarestealer

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks system information in the registry
    • Drops file in System32 directory
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe" /test
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2956
    • C:\Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe" /restart /util
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk
    Filesize

    1KB

    MD5

    9aee6d9021a9d75d268c88c7dfb03d19

    SHA1

    a4264d0f3e0dd1450ad0c6a7b3ca1bca1ef89652

    SHA256

    f7502c2e2d04040d94e8b33c21e19790e243e48251255e53fd8e28e0623a73c8

    SHA512

    71c3f00ec6cd4d2bd1a1c61c0ae176241ceeebeb4177a63259eb8f0060712ef22f0f3211a8dc5c788c9139eccc7c9e1ca8265ce52ef03070aad1d8d2eb6492f9

    Download Submit

  • C:\ProgramData\Чистилка\config.dat
    Filesize

    476KB

    MD5

    b0f447818c916bc08d3f96926006b45a

    SHA1

    74d19c344be3b49f7685fd8b2190c4741e564818

    SHA256

    81929d66051a50a211777d40b964f885045bdd5d72d06c1f72655f8bd220b94f

    SHA512

    00ae5ea15cbb2e7e9a44638fc903fbd4d69a345d699f89d671a01725221cba12bd2857b17c68d6ec2b87a261b741f3427aef1f5a27164dda0eec90a6fe2eec93

    Download Submit

  • C:\ProgramData\Чистилка\settings.json
    Filesize

    445B

    MD5

    1843165761130bb59a252e1925ce8def

    SHA1

    4e01f4ca347f9f279b88cbdfb8cf27c99cdeeca2

    SHA256

    76e2f82255232cc369ec11804c42d02ce70751066a8d803251521b316018f7df

    SHA512

    857a6283d0af403c77e3fa8db396ac061666e0d3453f9a1b47b44862f8fa4aec7a3f230a82614e8bf02dada4e6fbc1a6f32ad4938d25ce2d6012be9546148985

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cln5F12.tmp
    Filesize

    49KB

    MD5

    abee4387ab69da821ed9397cc651597d

    SHA1

    5d14f4afdbe15448bf884b528ffffab874f920a7

    SHA256

    ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22

    SHA512

    e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe
    Filesize

    2.7MB

    MD5

    cf08c870295a910c959e357c13e888e0

    SHA1

    7d0ea6b76abe69535b5fe0a6fa78e60b558fcb34

    SHA256

    c9935525ea7457c3ee2672931fa5895afea00607f2d9800f7f54a52f01a50987

    SHA512

    a254ae190e2be1139ff006919c7162f786be426dc2bd55ee941e7a4489928c2e3b04e59dcdedccf3580581379f24d6a4605669774517318f19d80e14b222b284

    Download Submit

  • C:\Users\Public\Desktop\Чистилка.lnk
    Filesize

    1KB

    MD5

    c75e90d21c8e58d8085b4b6f588cc7b3

    SHA1

    8125b98bb3c5eb9eddfced548f6283e44d0992ef

    SHA256

    a33bba95c6b8b706d13d437c714eaa8745a975c419482e30a884ce1cff76a90c

    SHA512

    0cefcddc63edf294ee792ed2b32da649f450416d58a9767c9c71482d96ae18978360faf4239bfd763dfa5066453214c9b18ce2f6eb73e9b560d224216305c39b

    Download Submit

  • C:\Windows\Fonts\pns.ttf
    Filesize

    127KB

    MD5

    df8c626474a73ab7a8b511655597c7c4

    SHA1

    5de28f387ea88553d195d1978286d43c33231969

    SHA256

    723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5

    SHA512

    c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59

    Download Submit

  • \ProgramData\Чистилка\Чистилка.exe
    Filesize

    5.8MB

    MD5

    dc5cc070ea662794f72b8558bddf60f9

    SHA1

    ac7ff04ac89320a84be6f853191432a707d8181a

    SHA256

    3863361341fb271b432545c1806ea5444408bee164e18402b7b0d153c5cd4710

    SHA512

    152a317c81ec450a95781f74bc16563b2f9c564c3778f3b2cf9418cb7906da310647a84855d160af3069171336bb287a0b19c3d9b24038e2352762f61036ae5a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dc5cc070ea662794f72b8558bddf60f9_JaffaCakes118.exe
    Filesize

    5.9MB

    MD5

    d7ebb78bf1f0e4a8278b2d63013b1134

    SHA1

    498b315dcba9bf4403d6748be61453d5d8991b61

    SHA256

    c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8

    SHA512

    ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

    Download Submit

  • memory/2156-35-0x0000000000350000-0x0000000000351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-44-0x0000000000350000-0x0000000000351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-76-0x0000000001350000-0x0000000001929000-memory.dmp

    Filesize

    5.8MB

    Download