f809f81d95df1aba4838ef3f8bffb4c937901ee38d1404070a2dc7b3f02fda8f

General

Target

ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe
Size

15.0MB
MD5

ef37c46e47a7de81e846d81df54cd33d
SHA1

98247e718da31648ae111f00ad51d6f78a95b164
SHA256

f809f81d95df1aba4838ef3f8bffb4c937901ee38d1404070a2dc7b3f02fda8f
SHA512

1674f76f0961b0b25b326f92f7fe5171540b999fc93a7a5a64a4a2ae38653fe7820a2d26f8dfe1468863d69e0e4527a9d493e2138fa6acafa2a6fdf40cefc346
SSDEEP

393216:4T4reXCcECLVPQfceGnpXP7vXxB3gIL9KgYPwIjEr83:hncEUxyc/7PxB3z/u

Score

9^/10

discovery evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe
2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe
2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2788	timeout.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2732	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2732	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2732	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2732	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2844	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2844	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2844	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2844	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2652	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	32
PID 2852 wrote to memory of 2652	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	32
PID 2852 wrote to memory of 2652	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	32
PID 2852 wrote to memory of 2652	2852	ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe	32
PID 2652 wrote to memory of 2788	2652	cmd.exe	35
PID 2652 wrote to memory of 2788	2652	cmd.exe	35
PID 2652 wrote to memory of 2788	2652	cmd.exe	35
PID 2652 wrote to memory of 2788	2652	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C echo A debugger has been found running in your system.Please, unload it from memory and restart your program. && pause
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C TIMEOUT 2 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\ef37c46e47a7de81e846d81df54cd33d_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT 2
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-9-0x0000000000E90000-0x0000000002594000-memory.dmp

Filesize
23.0MB

Download
memory/2732-10-0x0000000000E90000-0x0000000002594000-memory.dmp

Filesize
23.0MB

Download
memory/2852-2-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/2852-1-0x0000000075FAE000-0x0000000075FAF000-memory.dmp

Filesize
4KB

Download
memory/2852-0-0x0000000000E90000-0x0000000002594000-memory.dmp

Filesize
23.0MB

Download
memory/2852-3-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/2852-4-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/2852-6-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/2852-8-0x0000000000E90000-0x0000000002594000-memory.dmp

Filesize
23.0MB

Download
memory/2852-7-0x0000000003D00000-0x0000000005404000-memory.dmp

Filesize
23.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads