Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 14:38

General

  • Target

    834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    834aec8681a0a84919ed58be61eb84a7

  • SHA1

    3dfa91230f76db607114ed0588f946ee823c7d20

  • SHA256

    7dc2b9e59114f51f3f27f67561b917c58a3d9e023c0e8828cf4eb3ab88cf61fc

  • SHA512

    44933fa5f39805c1bc3d339f44f106e764f7154e30059672b70d4b8fbd94d4c376b353ca4712fb821caabbe4f8654a29c5bb2a50e2a3a19d19577bd918a5de2b

  • SSDEEP

    49152:uc59ozsLyCVft5L5Ef/ge8Rj/Y13t89rCalysFEN6XmiFAoNXxHNWimb:D9oMrV54a7DUacnN6TfHgBb

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Users\Admin\AppData\Local\Temp\merrsend.exe
      merrsend.exe ABABB996AAABABEEAEABAB7DA8FFC3D9CECACFE2EF8B9A9C93938BDFC3D9CEDC8BC2C58B989A9C8B839A989F9282A6A1A6A1FFC3D9CECACFE2EF918B9C9B93A6A1A2999B9B9B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBCEDFDBC2C8C0FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B929B93A6A1A2989A9A988B918BE9DECDCDCED9E8C7C2CEC5DF9191F8DEDBCED9DDC2D8C4D9FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9A9C9393A6A1A29A9E998B918BDCFCC2C5E6CAC2C5A6A1A2A29F9A9F9A8B918BC2C5C2DFE7CAC5CCDECACCCEE4C9C1CEC8DFA6A1A2A29D9898998B918BCED3DFD9CAC8DFEED9D9C4D9F8CEC5CFCED9A6A1A2A29F9A8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDCED9E8C7C2CEC5DFA6A1A2A2A2928B918BE4C9C1CEC8DFE6CAC5CACCCED99191E4C9C1CEC8DFE6CAC5CACCCED9A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29D9B939E8B918BE9DECDCDCED9E8C7C2CEC5DF9191D8CEDFE8CAC5C8CEC7E3CAD9CFA6A1A2A29A9F8B918BFBE9E6E89191FBE9E6E8A6A1A2A29E9D929C8B918B94C3CAC5CFC7CEE7C4CACFF8CEDFDFC2C5CCD8EBEBF2EAF3EAE9FD948FC9CAD8C2C8F4D8DFD9C2C5CCEBF4FCFE948FC8C3CAD9F4DFD9CAC2DFD8EBF4FCEBD8DFCFEBEBFD948FCAC7C7C4C8CADFC4D9EBF4FCEB99EBEBD8DFCFEBEBEBF1A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29C9E998B918BFBE9E6E89191FEDBCFCADFCEFBC4D9DFD8A6A1A2A2A29C9F998B918BFBE9E6E89191E8C3CAC5CCCECFEFE2FDA6A1A6A1FFC3D9CECACFE2EF918B9F93939FA6A1A29A9D929B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBC4DFFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9E9B9B9FA6A1A29D9B9F8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDFFC3D9CECACFA6A1A6A1
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2704
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1824
      2⤵
      • Program crash
      PID:2652
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4224 -ip 4224
    1⤵
      PID:616

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\merrsend.exe

            Filesize

            5KB

            MD5

            7beeb35c3bde8caab110b5dc3a45218c

            SHA1

            fa36661a88ec5d68b9bec81dc7e216a3ed696aae

            SHA256

            62738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a

            SHA512

            cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795

          • memory/2704-25-0x0000000072DC0000-0x0000000073371000-memory.dmp

            Filesize

            5.7MB

          • memory/2704-23-0x0000000072DC0000-0x0000000073371000-memory.dmp

            Filesize

            5.7MB

          • memory/2704-20-0x0000000072DC0000-0x0000000073371000-memory.dmp

            Filesize

            5.7MB

          • memory/2704-19-0x0000000072DC0000-0x0000000073371000-memory.dmp

            Filesize

            5.7MB

          • memory/2704-18-0x0000000072DC2000-0x0000000072DC3000-memory.dmp

            Filesize

            4KB

          • memory/4224-4-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

            Filesize

            4KB

          • memory/4224-0-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-10-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-11-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-12-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-3-0x0000000004C90000-0x0000000004C91000-memory.dmp

            Filesize

            4KB

          • memory/4224-17-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-9-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-5-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

            Filesize

            4KB

          • memory/4224-6-0x0000000000401000-0x0000000000465000-memory.dmp

            Filesize

            400KB

          • memory/4224-21-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-22-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-7-0x0000000000400000-0x0000000000A73000-memory.dmp

            Filesize

            6.4MB

          • memory/4224-1-0x00000000775E4000-0x00000000775E6000-memory.dmp

            Filesize

            8KB