30c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
Size

579KB
MD5

f58a4369b8176edbde4396dc977c9008
SHA1

87668d14910c1e1bb8bbea0c6363f76e664dcd09
SHA256

30c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73
SHA512

d9e747b4907ab21406ce52bdf05f61b62efb087ea4f6599a8441625511c3b4e959f3610bc3e00e39434691ad76b818a38756239acffae90a28a39e9862dd0fb7
SSDEEP

12288:SGtys4IM48XKzDogrFgPb1fNZsHirZnyBK2HVUMLPztyea4douxdSXMA:51Y48XKnoQgKHirZnyBK2HKMLLtz3OM

Score

9^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	clinfo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	clinfo.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	clinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ativvaxy_cik_x86_64 = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\clinfo.exe C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\aticfx32.dll, ADL_Display_DeviceConfig_Get"	clinfo.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	clinfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	clinfo.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
2540	clinfo.exe
3936	clinfo.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	clinfo.exe
3936	clinfo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atioglxx_Eng = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\clinfo.exe C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\aticfx32.dll, ADL_Display_DeviceConfig_Get"	clinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvideo_Client = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\clinfo.exe C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\aticfx32.dll, ADL_Display_DeviceConfig_Get"	clinfo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	clinfo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	clinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	clinfo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	clinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clinfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3060	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\coinst_13.152.dll"	clinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\InProcServer32\ThreadingModel = "Apartment"	clinfo.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}	clinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\ = "ShellWindows"	clinfo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\Parameters = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c004100540049005f00530075006200730079007300740065006d005c0063006c0069006e0066006f002e00650078006500200043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c004100540049005f00530075006200730079007300740065006d005c00610074006900630066007800330032002e0064006c006c002c002000410044004c005f0044006900730070006c00610079005f0044006500760069006300650043006f006e006600690067005f004700650074000000	clinfo.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\InProcServer32	clinfo.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
428	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
428	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe
2540	clinfo.exe
2540	clinfo.exe
3936	clinfo.exe
3936	clinfo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 2540	428	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe	82
PID 428 wrote to memory of 2540	428	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe	82
PID 428 wrote to memory of 2540	428	f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe	82
PID 2540 wrote to memory of 2296	2540	clinfo.exe	83
PID 2540 wrote to memory of 2296	2540	clinfo.exe	83
PID 2540 wrote to memory of 2296	2540	clinfo.exe	83
PID 2296 wrote to memory of 3060	2296	cmd.exe	85
PID 2296 wrote to memory of 3060	2296	cmd.exe	85
PID 2296 wrote to memory of 3060	2296	cmd.exe	85
PID 2540 wrote to memory of 3936	2540	clinfo.exe	86
PID 2540 wrote to memory of 3936	2540	clinfo.exe	86
PID 2540 wrote to memory of 3936	2540	clinfo.exe	86

C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe
  C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe C:\Users\Admin\AppData\Roaming\ATI_Subsystem\aticfx32.dll, ADL_Display_DeviceConfig_Get pid=428 "C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Adds policy Run key to start application
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    /Q /C TASKKILL /F /PID 428 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\f58a4369b8176edbde4396dc977c9008_JaffaCakes118.exe > NUL
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /PID 428
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe
    "C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe" "C:\Users\Admin\AppData\Roaming\ATI_Subsystem\aticfx32.dll", ADL_Display_DeviceConfig_Get
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ATI_Subsystem\aticfx32.dll

Filesize
850KB

MD5
8670710bc9477431a01a576b6b5c1b2a

SHA1
8099a40b9ef478ee50c466eb65fe71b247fcf014

SHA256
1233cca912fb61873c7388f299a4a1b78054e681941beb31f0a48f8c6d7a182b

SHA512
b0fa1b28d07ae6306c232f386fc0fbb3f10be7a50242479195a3716b64bad1c16967ea504dbdce4ec370dc9c7ff54ad6a009fff4d228a1b97828b4ee6c4645bc

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\clinfo.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.dat

Filesize
6KB

MD5
b8e9af8cfae757fd2178438a9c2f2510

SHA1
83025fa878bfad6ddc6a1904ec9114b60a7051eb

SHA256
8acf5c72a79285c26d08372699e79de607e7ff6b2853fd86e3f19c4f8d568a2a

SHA512
4e79a449763f449c938c75ea139b5e172691c9a2d398cb3ae16ac180cb2cf717b9811ac5e4d1f124fdddc19b5828aff60ae71ea980d7bdc60fc89f7c0e398450

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.dat

Filesize
6KB

MD5
245c2aea6607e2661159b82447ed7305

SHA1
5637dcc1cb86363e84007ce28fbe531931f33caa

SHA256
e4fcd65ee0b85f27758d7041d466e6538a2a498634d9d035de3b59096f3eecbb

SHA512
ca59a4725e615009fb396c1e2c8a72ee45043ad5a2ef1eef11a350faf030f2f949c0ba9c6ad13a530fb0b49fcdb6306dfd8ba00fa41508c0a1763a292c36278a

Download Submit