Analysis Overview
SHA256
7dc2b9e59114f51f3f27f67561b917c58a3d9e023c0e8828cf4eb3ab88cf61fc
Threat Level: Likely malicious
The file 834aec8681a0a84919ed58be61eb84a7_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 14:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 14:38
Reported
2024-10-31 14:43
Platform
win7-20241010-en
Max time kernel
72s
Max time network
37s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\merrsend.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\merrsend.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\merrsend.exe
merrsend.exe ABABB996AAABABEEAEABAB73A8FFC3D9CECACFE2EF8B9A9C989D8BDFC3D9CEDC8BC2C58B989A9C8B839A989F9282A6A1A6A1FFC3D9CECACFE2EF918B9A9C989DA6A1A29A9E998B918BDCFCC2C5E6CAC2C5A6A1A2A29F9A9F9A8B918BC2C5C2DFE7CAC5CCDECACCCEE4C9C1CEC8DFA6A1A2A29D9898998B918BCED3DFD9CAC8DFEED9D9C4D9F8CEC5CFCED9A6A1A2A29F9A8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDCED9E8C7C2CEC5DFA6A1A2A2A2928B918BE4C9C1CEC8DFE6CAC5CACCCED99191E4C9C1CEC8DFE6CAC5CACCCED9A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29D9B939E8B918BE9DECDCDCED9E8C7C2CEC5DF9191D8CEDFE8CAC5C8CEC7E3CAD9CFA6A1A2A29A9F8B918BFBE9E6E89191FBE9E6E8A6A1A2A29E9D929C8B918B94C3CAC5CFC7CEE7C4CACFF8CEDFDFC2C5CCD8EBEBF2EAF3EAE9FD948FC9CAD8C2C8F4D8DFD9C2C5CCEBF4FCFE948FC8C3CAD9F4DFD9CAC2DFD8EBF4FCEBD8DFCFEBEBFD948FCAC7C7C4C8CADFC4D9EBF4FCEB99EBEBD8DFCFEBEBEBF1A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29C9E998B918BFBE9E6E89191FEDBCFCADFCEFBC4D9DFD8A6A1A2A2A29C9F998B918BFBE9E6E89191E8C3CAC5CCCECFEFE2FDA6A1A6A1FFC3D9CECACFE2EF918B999A9F9FA6A1A29A9D929B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBC4DFFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B999A9D93A6A1A2999B9B9B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBCEDFDBC2C8C0FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B99999E9DA6A1A29D9B9F8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9998999FA6A1A2989A9A988B918BE9DECDCDCED9E8C7C2CEC5DF9191F8DEDBCED9DDC2D8C4D9FFC3D9CECACFA6A1A6A1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 920
Network
| Country | Destination | Domain | Proto |
| DE | 82.165.134.202:80 | tcp |
Files
memory/2116-0-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2116-1-0x0000000077DD0000-0x0000000077DD2000-memory.dmp
memory/2116-6-0x0000000000401000-0x0000000000465000-memory.dmp
memory/2116-8-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2116-5-0x0000000004480000-0x0000000004482000-memory.dmp
memory/2116-9-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2116-4-0x0000000004470000-0x0000000004471000-memory.dmp
memory/2116-3-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/2116-10-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2116-11-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2116-12-0x0000000000400000-0x0000000000A73000-memory.dmp
\Users\Admin\AppData\Local\Temp\merrsend.exe
| MD5 | 7beeb35c3bde8caab110b5dc3a45218c |
| SHA1 | fa36661a88ec5d68b9bec81dc7e216a3ed696aae |
| SHA256 | 62738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a |
| SHA512 | cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795 |
memory/2116-19-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2116-22-0x0000000000400000-0x0000000000A73000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 14:38
Reported
2024-10-31 14:42
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\merrsend.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\merrsend.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4224 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\merrsend.exe |
| PID 4224 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\merrsend.exe |
| PID 4224 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\merrsend.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\834aec8681a0a84919ed58be61eb84a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\merrsend.exe
merrsend.exe ABABB996AAABABEEAEABAB7DA8FFC3D9CECACFE2EF8B9A9C93938BDFC3D9CEDC8BC2C58B989A9C8B839A989F9282A6A1A6A1FFC3D9CECACFE2EF918B9C9B93A6A1A2999B9B9B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBCEDFDBC2C8C0FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B929B93A6A1A2989A9A988B918BE9DECDCDCED9E8C7C2CEC5DF9191F8DEDBCED9DDC2D8C4D9FFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9A9C9393A6A1A29A9E998B918BDCFCC2C5E6CAC2C5A6A1A2A29F9A9F9A8B918BC2C5C2DFE7CAC5CCDECACCCEE4C9C1CEC8DFA6A1A2A29D9898998B918BCED3DFD9CAC8DFEED9D9C4D9F8CEC5CFCED9A6A1A2A29F9A8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDCED9E8C7C2CEC5DFA6A1A2A2A2928B918BE4C9C1CEC8DFE6CAC5CACCCED99191E4C9C1CEC8DFE6CAC5CACCCED9A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29D9B939E8B918BE9DECDCDCED9E8C7C2CEC5DF9191D8CEDFE8CAC5C8CEC7E3CAD9CFA6A1A2A29A9F8B918BFBE9E6E89191FBE9E6E8A6A1A2A29E9D929C8B918B94C3CAC5CFC7CEE7C4CACFF8CEDFDFC2C5CCD8EBEBF2EAF3EAE9FD948FC9CAD8C2C8F4D8DFD9C2C5CCEBF4FCFE948FC8C3CAD9F4DFD9CAC2DFD8EBF4FCEBD8DFCFEBEBFD948FCAC7C7C4C8CADFC4D9EBF4FCEB99EBEBD8DFCFEBEBEBF1A6A1A2A2A29F989F988B918BE9DECDCDCED9E8C7C2CEC5DF9191CCCEDFF9CAC5CFC4C6A6A1A2A2A29C9E998B918BFBE9E6E89191FEDBCFCADFCEFBC4D9DFD8A6A1A2A2A29C9F998B918BFBE9E6E89191E8C3CAC5CCCECFEFE2FDA6A1A6A1FFC3D9CECACFE2EF918B9F93939FA6A1A29A9D929B8B918BE9DECDCDCED9E8C7C2CEC5DF9191FBC4DFFFC3D9CECACFA6A1A6A1FFC3D9CECACFE2EF918B9E9B9B9FA6A1A29D9B9F8B918BE9DECDCDCED9E8C7C2CEC5DF9191E9DECDCDFFC3D9CECACFA6A1A6A1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1824
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 82.165.134.202:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4224-0-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/4224-1-0x00000000775E4000-0x00000000775E6000-memory.dmp
memory/4224-7-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/4224-6-0x0000000000401000-0x0000000000465000-memory.dmp
memory/4224-5-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
memory/4224-4-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/4224-3-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/4224-9-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/4224-10-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/4224-11-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/4224-12-0x0000000000400000-0x0000000000A73000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\merrsend.exe
| MD5 | 7beeb35c3bde8caab110b5dc3a45218c |
| SHA1 | fa36661a88ec5d68b9bec81dc7e216a3ed696aae |
| SHA256 | 62738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a |
| SHA512 | cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795 |
memory/4224-17-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2704-18-0x0000000072DC2000-0x0000000072DC3000-memory.dmp
memory/2704-19-0x0000000072DC0000-0x0000000073371000-memory.dmp
memory/2704-20-0x0000000072DC0000-0x0000000073371000-memory.dmp
memory/4224-21-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/4224-22-0x0000000000400000-0x0000000000A73000-memory.dmp
memory/2704-23-0x0000000072DC0000-0x0000000073371000-memory.dmp
memory/2704-25-0x0000000072DC0000-0x0000000073371000-memory.dmp