Analysis
-
max time kernel
72s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
834aec8681a0a84919ed58be61eb84a7
-
SHA1
3dfa91230f76db607114ed0588f946ee823c7d20
-
SHA256
7dc2b9e59114f51f3f27f67561b917c58a3d9e023c0e8828cf4eb3ab88cf61fc
-
SHA512
44933fa5f39805c1bc3d339f44f106e764f7154e30059672b70d4b8fbd94d4c376b353ca4712fb821caabbe4f8654a29c5bb2a50e2a3a19d19577bd918a5de2b
-
SSDEEP
49152:uc59ozsLyCVft5L5Ef/ge8Rj/Y13t89rCalysFEN6XmiFAoNXxHNWimb:D9oMrV54a7DUacnN6TfHgBb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2480 merrsend.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2976 2116 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language merrsend.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2480 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 30 PID 2116 wrote to memory of 2480 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 30 PID 2116 wrote to memory of 2480 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 30 PID 2116 wrote to memory of 2480 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 30 PID 2116 wrote to memory of 2976 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2976 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2976 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 31 PID 2116 wrote to memory of 2976 2116 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\merrsend.exemerrsend.exe ABABB996AAABABEEAEABAB73A8FFC3D9CECACFE2EF8B9A9C989D8BDFC3D9CEDC8BC2C58B989A9C8B839A989F9282A6A1A6A1FFC3D9CECACFE2EF918B9A9C989DA6A1A29A9E998B918BDCFCC2C5E6CAC2C5A6A1A2A29F9A9F9A8B918BC2C5C2DFE7CAC5CCDECACCCEE4C9C1CEC8DFA6A1A2A29D9898998B918BCED3DFD9CAC8DFEED9D9C4D9F8CEC5CFCED9A6A1A2A29F9A8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDCED9E8C7C2CEC5DFA6A1A2A2A2928B918BE4C9C1CEC8DFE6CAC5CACCCED99191E4C9C1CEC8DFE6CAC5CACCCED9A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29D9B939E8B918BE9DECDCDCED9E8C7C2CEC5DF9191D8CEDFE8CAC5C8CEC7E3CAD9CFA6A1A2A29A9F8B918BFBE9E6E89191FBE9E6E8A6A1A2A29E9D929C8B918B94C3CAC5CFC7CEE7C4CACFF8CEDFDFC2C5CCD8EBEBF2EAF3EAE9FD948FC9CAD8C2C8F4D8DFD9C2C5CCEBF4FCFE948FC8C3CAD9F4DFD9CAC2DFD8EBF4FCEBD8DFCFEBEBFD948FCAC7C7C4C8CADFC4D9EBF4FCEB99EBEBD8DFCFEBEBEBF1A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29C9E998B918BFBE9E6E89191FEDBCFCADFCEFBC4D9DFD8A6A1A2A2A29C9F998B918BFBE9E6E89191E8C3CAC5CCCECFEFE2FDA6A1A6A1FFC3D9CECACFE2EF918B999A9F9FA6A1A29A9D929B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBC4DFFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B999A9D93A6A1A2999B9B9B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBCEDFDBC2C8C0FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B99999E9DA6A1A29D9B9F8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9998999FA6A1A2989A9A988B918BE9DECDCDCED9E8C7C2CEC5DF9191F8DEDBCED9DDC2D8C4D9FFC3D9CECACFA6A1A6A12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 9202⤵
- Program crash
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD57beeb35c3bde8caab110b5dc3a45218c
SHA1fa36661a88ec5d68b9bec81dc7e216a3ed696aae
SHA25662738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a
SHA512cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795