Analysis

  • max time kernel
    124s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 04:00

General

  • Target

    JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe

  • Size

    673.0MB

  • MD5

    7389ff07b95878e0ea9187a7739fb746

  • SHA1

    617391ebe2718489a21ad293038181a4745681ef

  • SHA256

    fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb

  • SHA512

    4f35b2e254a202a28bb057e91aac2ee71bd46d874247d3e4d69c50e6272fa7a8583b9bea27a735f24c5234f874ff5ae112fa0b4522a96e0309620c6a9febeaa2

  • SSDEEP

    98304:sUOZO4ffXp2w8Xj0btxlugie9ADfVKd2DITIo5QUt6gsoV3TAn0wupSE3+eL:ss4Ef0btxkU2UcoagBlsE3+e

Malware Config

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • Privateloader family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 14 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa4babcd6f894a4e3d3a44a1fe9c8aab222f3df9b0c43b5aeefcbe7ab1e152eb.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 520
      2⤵
      • Program crash
      PID:800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2848-0-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-6-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

  • memory/2848-32-0x0000000002240000-0x0000000002478000-memory.dmp

    Filesize

    2.2MB

  • memory/2848-30-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

  • memory/2848-28-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

  • memory/2848-25-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

  • memory/2848-23-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

  • memory/2848-20-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

  • memory/2848-44-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-34-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-39-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-18-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

  • memory/2848-15-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

  • memory/2848-13-0x0000000000160000-0x0000000000161000-memory.dmp

    Filesize

    4KB

  • memory/2848-10-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

  • memory/2848-8-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

  • memory/2848-5-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

  • memory/2848-3-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

  • memory/2848-1-0x0000000000140000-0x0000000000141000-memory.dmp

    Filesize

    4KB

  • memory/2848-50-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-41-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-48-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-43-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-49-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-47-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-45-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-40-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-46-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB

  • memory/2848-57-0x00000000010C0000-0x0000000002B5D000-memory.dmp

    Filesize

    26.6MB