Analysis
-
max time kernel
124s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 04:00
Behavioral task
behavioral1
Sample
JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe
-
Size
673.0MB
-
MD5
7389ff07b95878e0ea9187a7739fb746
-
SHA1
617391ebe2718489a21ad293038181a4745681ef
-
SHA256
fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb
-
SHA512
4f35b2e254a202a28bb057e91aac2ee71bd46d874247d3e4d69c50e6272fa7a8583b9bea27a735f24c5234f874ff5ae112fa0b4522a96e0309620c6a9febeaa2
-
SSDEEP
98304:sUOZO4ffXp2w8Xj0btxlugie9ADfVKd2DITIo5QUt6gsoV3TAn0wupSE3+eL:ss4Ef0btxkU2UcoagBlsE3+e
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe -
resource yara_rule behavioral1/memory/2848-0-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-44-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-34-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-39-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-50-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-41-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-48-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-43-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-49-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-47-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-45-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-40-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-46-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida behavioral1/memory/2848-57-0x00000000010C0000-0x0000000002B5D000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe File opened for modification C:\Windows\System32\GroupPolicy JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 800 2848 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2848 wrote to memory of 800 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe 30 PID 2848 wrote to memory of 800 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe 30 PID 2848 wrote to memory of 800 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe 30 PID 2848 wrote to memory of 800 2848 JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 5202⤵
- Program crash
PID:800
-