Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:16
Behavioral task
behavioral1
Sample
JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe
-
Size
4.1MB
-
MD5
65b9a2bb5e5510eda9a351da1f95e508
-
SHA1
673472622fed797b1afb577d0053c9ee2d83d675
-
SHA256
dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78
-
SHA512
028aa956ebaf1e20219f8d25fb55f087bbcc68f93e13833ae2be70995cd16696c3cd36fe9accafc00ef20975e3bb016ecd924e264217629cd814971d761020f8
-
SSDEEP
98304:xly2wGPLwrHKNVXf1WOWxQmeaVPnNPi0ambpBcs/zdPvHrCi9FZF:PwGPLwLKNlkOWzPd/pBdLr9bF
Malware Config
Extracted
amadey
3.01
1ce576
-
install_dir
91a0189a82
-
install_file
tkools.exe
-
strings_key
5031c806169b48d93a79100688ba0f46
-
url_paths
/g8lvleE2z/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tkools.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tkools.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tkools.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tkools.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tkools.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation tkools.exe -
Executes dropped EXE 3 IoCs
pid Process 2312 tkools.exe 944 tkools.exe 3940 tkools.exe -
resource yara_rule behavioral2/memory/2128-0-0x0000000000E50000-0x00000000018B0000-memory.dmp themida behavioral2/memory/2128-3-0x0000000000E50000-0x00000000018B0000-memory.dmp themida behavioral2/memory/2128-2-0x0000000000E50000-0x00000000018B0000-memory.dmp themida behavioral2/memory/2128-4-0x0000000000E50000-0x00000000018B0000-memory.dmp themida behavioral2/files/0x0007000000023cbf-9.dat themida behavioral2/memory/2128-16-0x0000000000E50000-0x00000000018B0000-memory.dmp themida behavioral2/memory/2312-15-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-17-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-18-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-19-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-28-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-32-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/944-35-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/944-36-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/944-38-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-39-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-40-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-41-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/3940-47-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/3940-46-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/3940-48-0x00000000003C0000-0x0000000000E20000-memory.dmp themida behavioral2/memory/2312-50-0x00000000003C0000-0x0000000000E20000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tkools.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tkools.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tkools.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2128 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 2312 tkools.exe 944 tkools.exe 3940 tkools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkools.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tkools.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3512 schtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2312 2128 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 83 PID 2128 wrote to memory of 2312 2128 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 83 PID 2128 wrote to memory of 2312 2128 JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe 83 PID 2312 wrote to memory of 2368 2312 tkools.exe 84 PID 2312 wrote to memory of 2368 2312 tkools.exe 84 PID 2312 wrote to memory of 2368 2312 tkools.exe 84 PID 2312 wrote to memory of 3512 2312 tkools.exe 86 PID 2312 wrote to memory of 3512 2312 tkools.exe 86 PID 2312 wrote to memory of 3512 2312 tkools.exe 86 PID 2368 wrote to memory of 4808 2368 cmd.exe 88 PID 2368 wrote to memory of 4808 2368 cmd.exe 88 PID 2368 wrote to memory of 4808 2368 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe"C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\91a0189a82\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\91a0189a82\4⤵
- System Location Discovery: System Language Discovery
PID:4808
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3512
-
-
-
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exeC:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:944
-
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exeC:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD565b9a2bb5e5510eda9a351da1f95e508
SHA1673472622fed797b1afb577d0053c9ee2d83d675
SHA256dfc643f0c12447398ce3700e22d52442a4773494bc6a7ebc836e6260a0eb3f78
SHA512028aa956ebaf1e20219f8d25fb55f087bbcc68f93e13833ae2be70995cd16696c3cd36fe9accafc00ef20975e3bb016ecd924e264217629cd814971d761020f8
-
Filesize
83KB
MD531a01e572e18225f2e3091b24730a540
SHA1c80904ad67f8965228448347bbb95bb4768f685c
SHA256e11ff587592bee92838cea1acdcb15153d4d1ef4f15210a0e42de557788cc792
SHA512c579a4de5d4926a13f6181c6cd1fc43b1c44914c24d982d52a4bd8886a6dc9140b1b2301045b9146bdb535e5722e7805a065e0d33800dde4cee35b7f73f93157