2afa1263c47b3a4830cb948607a097136cb0cde6205bc8a0665a313632d607f9

Analysis

max time kernel
104s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
Size

174KB
MD5

8a9f78b45ce85e2a8288e2a5f4ca89aa
SHA1

bac58c2681aa04ff98e73af10d5a3f566dad9119
SHA256

2afa1263c47b3a4830cb948607a097136cb0cde6205bc8a0665a313632d607f9
SHA512

82bf6a4dc966bd730ae5907544a68239ff0feda629056403ac285fac237961627ce589f4c8b3e48fbb8ba1eb75fbf58282f73deb6993ba745cb819463f2068b2
SSDEEP

3072:l+BC3K5eqZB6Kvf3t9Aeq7t6/F69v4k4BP7GzZAEbvAMFGm3rpPQ:HK7ZBzH3e8N69v4DW6EjxvlPQ

Score

8^/10

discovery vmprotect

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\ADP80XX.SYS	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\arcsas.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\fdc.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\nvdimm.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\SpbCx.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\Drivers\MsRPC.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\nvraid.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\scmbus.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\SerCx.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\flpydisk.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\hidi2c.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\iai2c.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\netvsc.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sss.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\ucx01000.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\tpm.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\Drivers\UcmCx.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\WdmCompanionFilter.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\winmad.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\WpdUpFltr.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\hvservice.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\NetAdapterCx.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\vms3cap.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\BthA2dp.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\BthEnum.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\dmvsc.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\DRIVERS\nwifi.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\vwifibus.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\vmstorfl.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\rhproxy.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\SiSRaid2.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\bthhfenum.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\cht4sx64.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\pmem.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\3ware.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\appid.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\DRIVERS\ramdisk.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\umpass.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\hyperkbd.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\DRIVERS\ndiswan.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\tsusbhub.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\Drivers\UcmUcsiCx.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\Acx01000.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\applockerfltr.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\circlass.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\errdev.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\megasr.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\pciide.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\ItSas35i.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\MTConfig.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\percsas3i.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\drivers\urscx01000.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\ibbus.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\drivers\isapnp.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\system32\DRIVERS\wdiwifi.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4244-0-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral2/memory/4244-1-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral2/memory/4244-2-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a9f78b45ce85e2a8288e2a5f4ca89aa.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4244-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4244-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4244-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download