Analysis

  • max time kernel
    72s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 14:38

General

  • Target

    834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    834aec8681a0a84919ed58be61eb84a7

  • SHA1

    3dfa91230f76db607114ed0588f946ee823c7d20

  • SHA256

    7dc2b9e59114f51f3f27f67561b917c58a3d9e023c0e8828cf4eb3ab88cf61fc

  • SHA512

    44933fa5f39805c1bc3d339f44f106e764f7154e30059672b70d4b8fbd94d4c376b353ca4712fb821caabbe4f8654a29c5bb2a50e2a3a19d19577bd918a5de2b

  • SSDEEP

    49152:uc59ozsLyCVft5L5Ef/ge8Rj/Y13t89rCalysFEN6XmiFAoNXxHNWimb:D9oMrV54a7DUacnN6TfHgBb

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\merrsend.exe
      merrsend.exe ABABB996AAABABEEAEABAB73A8FFC3D9CECACFE2EF8B9A9C989D8BDFC3D9CEDC8BC2C58B989A9C8B839A989F9282A6A1A6A1FFC3D9CECACFE2EF918B9A9C989DA6A1A29A9E998B918BDCFCC2C5E6CAC2C5A6A1A2A29F9A9F9A8B918BC2C5C2DFE7CAC5CCDECACCCEE4C9C1CEC8DFA6A1A2A29D9898998B918BCED3DFD9CAC8DFEED9D9C4D9F8CEC5CFCED9A6A1A2A29F9A8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDCED9E8C7C2CEC5DFA6A1A2A2A2928B918BE4C9C1CEC8DFE6CAC5CACCCED99191E4C9C1CEC8DFE6CAC5CACCCED9A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29D9B939E8B918BE9DECDCDCED9E8C7C2CEC5DF9191D8CEDFE8CAC5C8CEC7E3CAD9CFA6A1A2A29A9F8B918BFBE9E6E89191FBE9E6E8A6A1A2A29E9D929C8B918B94C3CAC5CFC7CEE7C4CACFF8CEDFDFC2C5CCD8EBEBF2EAF3EAE9FD948FC9CAD8C2C8F4D8DFD9C2C5CCEBF4FCFE948FC8C3CAD9F4DFD9CAC2DFD8EBF4FCEBD8DFCFEBEBFD948FCAC7C7C4C8CADFC4D9EBF4FCEB99EBEBD8DFCFEBEBEBF1A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29C9E998B918BFBE9E6E89191FEDBCFCADFCEFBC4D9DFD8A6A1A2A2A29C9F998B918BFBE9E6E89191E8C3CAC5CCCECFEFE2FDA6A1A6A1FFC3D9CECACFE2EF918B999A9F9FA6A1A29A9D929B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBC4DFFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B999A9D93A6A1A2999B9B9B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBCEDFDBC2C8C0FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B99999E9DA6A1A29D9B9F8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9998999FA6A1A2989A9A988B918BE9DECDCDCED9E8C7C2CEC5DF9191F8DEDBCED9DDC2D8C4D9FFC3D9CECACFA6A1A6A1
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 920
      2⤵
      • Program crash
      PID:2976

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\merrsend.exe

          Filesize

          5KB

          MD5

          7beeb35c3bde8caab110b5dc3a45218c

          SHA1

          fa36661a88ec5d68b9bec81dc7e216a3ed696aae

          SHA256

          62738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a

          SHA512

          cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795

        • memory/2116-4-0x0000000004470000-0x0000000004471000-memory.dmp

          Filesize

          4KB

        • memory/2116-6-0x0000000000401000-0x0000000000465000-memory.dmp

          Filesize

          400KB

        • memory/2116-8-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB

        • memory/2116-5-0x0000000004480000-0x0000000004482000-memory.dmp

          Filesize

          8KB

        • memory/2116-9-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB

        • memory/2116-0-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB

        • memory/2116-3-0x0000000000B90000-0x0000000000B91000-memory.dmp

          Filesize

          4KB

        • memory/2116-10-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB

        • memory/2116-11-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB

        • memory/2116-12-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB

        • memory/2116-1-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

          Filesize

          8KB

        • memory/2116-19-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB

        • memory/2116-22-0x0000000000400000-0x0000000000A73000-memory.dmp

          Filesize

          6.4MB