Overview

overview

9

Static

static

1

f58a4369b8...18.exe

windows7-x64

9

f58a4369b8...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 07:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe

  • Size

    579KB

  • MD5

    f58a4369b8176edbde4396dc977c9008

  • SHA1

    87668d14910c1e1bb8bbea0c6363f76e664dcd09

  • SHA256

    30c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73

  • SHA512

    d9e747b4907ab21406ce52bdf05f61b62efb087ea4f6599a8441625511c3b4e959f3610bc3e00e39434691ad76b818a38756239acffae90a28a39e9862dd0fb7

  • SSDEEP

    12288:SGtys4IM48XKzDogrFgPb1fNZsHirZnyBK2HVUMLPztyea4douxdSXMA:51Y48XKnoQgKHirZnyBK2HKMLLtz3OM

Score
9/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe
      C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe C:\Users\Admin\AppData\Roaming\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get pid=2092 "C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Adds policy Run key to start application
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        /Q /C TASKKILL /F /PID 2092 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe > NUL
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\SysWOW64\taskkill.exe
          TASKKILL /F /PID 2092
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2956
      • C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe
        "C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe" "C:\Users\Admin\AppData\Roaming\ATI_Subsystem\aticfx32.dll", ADL_Display_DeviceConfig_Get
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2900

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ATI_Subsystem\aticfx32.dll
          Filesize

          850KB

          MD5

          8670710bc9477431a01a576b6b5c1b2a

          SHA1

          8099a40b9ef478ee50c466eb65fe71b247fcf014

          SHA256

          1233cca912fb61873c7388f299a4a1b78054e681941beb31f0a48f8c6d7a182b

          SHA512

          b0fa1b28d07ae6306c232f386fc0fbb3f10be7a50242479195a3716b64bad1c16967ea504dbdce4ec370dc9c7ff54ad6a009fff4d228a1b97828b4ee6c4645bc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.dat
          Filesize

          6KB

          MD5

          b8e9af8cfae757fd2178438a9c2f2510

          SHA1

          83025fa878bfad6ddc6a1904ec9114b60a7051eb

          SHA256

          8acf5c72a79285c26d08372699e79de607e7ff6b2853fd86e3f19c4f8d568a2a

          SHA512

          4e79a449763f449c938c75ea139b5e172691c9a2d398cb3ae16ac180cb2cf717b9811ac5e4d1f124fdddc19b5828aff60ae71ea980d7bdc60fc89f7c0e398450

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.dat
          Filesize

          6KB

          MD5

          95e10536979f910e7b14c450196053ae

          SHA1

          cad9c6f6e0f372d5de88657ac12572e600060b4f

          SHA256

          47ce91af2db54cbeb953a4e6fcf2018a8b200f66f30e56fc46659fd2cdfc959a

          SHA512

          dbc765990cd2ea1ca44eebad3283c220fa8d1903488195b5439d7135e3653b803b6ea568e72c2e3f9a54bf480ec99e2b67291018e0c82f19fb1237e15fb39452

          Download Submit

        • \Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe
          Filesize

          43KB

          MD5

          51138beea3e2c21ec44d0932c71762a8

          SHA1

          8939cf35447b22dd2c6e6f443446acc1bf986d58

          SHA256

          5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

          SHA512

          794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

          Download Submit