Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 00:16
Behavioral task
behavioral1
Sample
JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe
-
Size
4.1MB
-
MD5
65b9a2bb5e5510eda9a351da1f95e508
-
SHA1
673472622fed797b1afb577d0053c9ee2d83d675
-
SHA256
dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78
-
SHA512
028aa956ebaf1e20219f8d25fb55f087bbcc68f93e13833ae2be70995cd16696c3cd36fe9accafc00ef20975e3bb016ecd924e264217629cd814971d761020f8
-
SSDEEP
98304:xly2wGPLwrHKNVXf1WOWxQmeaVPnNPi0ambpBcs/zdPvHrCi9FZF:PwGPLwLKNlkOWzPd/pBdLr9bF
Malware Config
Extracted
amadey
3.01
1ce576
-
install_dir
91a0189a82
-
install_file
tkools.exe
-
strings_key
5031c806169b48d93a79100688ba0f46
-
url_paths
/g8lvleE2z/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tkools.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tkools.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tkools.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tkools.exe -
Executes dropped EXE 3 IoCs
pid Process 2524 tkools.exe 2428 tkools.exe 776 tkools.exe -
Loads dropped DLL 1 IoCs
pid Process 2508 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe -
resource yara_rule behavioral1/memory/2508-0-0x0000000000D80000-0x00000000017E0000-memory.dmp themida behavioral1/memory/2508-2-0x0000000000D80000-0x00000000017E0000-memory.dmp themida behavioral1/memory/2508-3-0x0000000000D80000-0x00000000017E0000-memory.dmp themida behavioral1/memory/2508-4-0x0000000000D80000-0x00000000017E0000-memory.dmp themida behavioral1/files/0x0008000000015fba-8.dat themida behavioral1/memory/2524-15-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2508-12-0x0000000000D80000-0x00000000017E0000-memory.dmp themida behavioral1/memory/2524-17-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-18-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-19-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-29-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-32-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2428-36-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2428-37-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2428-38-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2428-40-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-41-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-42-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-43-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/776-48-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/776-49-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/776-51-0x0000000000890000-0x00000000012F0000-memory.dmp themida behavioral1/memory/2524-52-0x0000000000890000-0x00000000012F0000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tkools.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tkools.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tkools.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2508 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 2524 tkools.exe 2428 tkools.exe 776 tkools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkools.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 688 schtasks.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2524 2508 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 30 PID 2508 wrote to memory of 2524 2508 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 30 PID 2508 wrote to memory of 2524 2508 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 30 PID 2508 wrote to memory of 2524 2508 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 30 PID 2524 wrote to memory of 2208 2524 tkools.exe 31 PID 2524 wrote to memory of 2208 2524 tkools.exe 31 PID 2524 wrote to memory of 2208 2524 tkools.exe 31 PID 2524 wrote to memory of 2208 2524 tkools.exe 31 PID 2524 wrote to memory of 688 2524 tkools.exe 33 PID 2524 wrote to memory of 688 2524 tkools.exe 33 PID 2524 wrote to memory of 688 2524 tkools.exe 33 PID 2524 wrote to memory of 688 2524 tkools.exe 33 PID 2208 wrote to memory of 2792 2208 cmd.exe 35 PID 2208 wrote to memory of 2792 2208 cmd.exe 35 PID 2208 wrote to memory of 2792 2208 cmd.exe 35 PID 2208 wrote to memory of 2792 2208 cmd.exe 35 PID 1276 wrote to memory of 2428 1276 taskeng.exe 39 PID 1276 wrote to memory of 2428 1276 taskeng.exe 39 PID 1276 wrote to memory of 2428 1276 taskeng.exe 39 PID 1276 wrote to memory of 2428 1276 taskeng.exe 39 PID 1276 wrote to memory of 776 1276 taskeng.exe 42 PID 1276 wrote to memory of 776 1276 taskeng.exe 42 PID 1276 wrote to memory of 776 1276 taskeng.exe 42 PID 1276 wrote to memory of 776 1276 taskeng.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe"C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\91a0189a82\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\91a0189a82\4⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:688
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {075C6819-A1F2-48EE-9916-A510A363F6CB} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exeC:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exeC:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5639d2a8897faf00da9399e5292312c08
SHA1269140921159f0becc7d0b8be115fc06c6f0161e
SHA256755339795a05bd07d88e743a7b486d8a0bbca4aca2da99e0788f7b17f698be35
SHA512ff924f6966d95b51772b632eb2fa4287ce1fabd5403fa4754567849c581b1abe4087b18e51eb03986444413d6cbef5276fb739472d189966afd3f376fc17da9d
-
Filesize
4.1MB
MD565b9a2bb5e5510eda9a351da1f95e508
SHA1673472622fed797b1afb577d0053c9ee2d83d675
SHA256dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78
SHA512028aa956ebaf1e20219f8d25fb55f087bbcc68f93e13833ae2be70995cd16696c3cd36fe9accafc00ef20975e3bb016ecd924e264217629cd814971d761020f8