Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 23:33
Behavioral task
behavioral1
Sample
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe
-
Size
2.7MB
-
MD5
a9a3893285e274d60a9bb5b85f4dfcc4
-
SHA1
960237e74a28393b0f906a46acffdb4d6160b763
-
SHA256
51e9ccfd1c8ae13270052947f8dc6e3386c585bf733228a8dc0e028e1c31223f
-
SHA512
b22237255cdcca7c9cdd1dd0664368a967b09ad672f57beb96891ab6abfd6bf4c2d7161f1f9e9bc468539811494c8fc1c6d6417c0b339c22fc90769addfa3bc0
-
SSDEEP
49152:bH/xSb7E7SkThT0P6arzLNKYr4xMGL6kM8qhcFgSY81A9n5efYFVrZMsptwUrcS7:LwMGkThT0PjjNcxMGfGNSA9n5kYzrXpD
Malware Config
Extracted
cryptbot
oct5m.top
oct5e.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2344 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/2236-0-0x0000000000820000-0x0000000000F0E000-memory.dmp themida behavioral1/memory/2236-2-0x0000000000820000-0x0000000000F0E000-memory.dmp themida behavioral1/memory/2236-3-0x0000000000820000-0x0000000000F0E000-memory.dmp themida behavioral1/memory/2236-4-0x0000000000820000-0x0000000000F0E000-memory.dmp themida behavioral1/memory/2236-5-0x0000000000820000-0x0000000000F0E000-memory.dmp themida behavioral1/memory/2236-6-0x0000000000820000-0x0000000000F0E000-memory.dmp themida -
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exepid process 2236 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2332 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exepid process 2236 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.execmd.exedescription pid process target process PID 2236 wrote to memory of 2344 2236 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe cmd.exe PID 2236 wrote to memory of 2344 2236 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe cmd.exe PID 2236 wrote to memory of 2344 2236 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe cmd.exe PID 2236 wrote to memory of 2344 2236 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe cmd.exe PID 2344 wrote to memory of 2332 2344 cmd.exe timeout.exe PID 2344 wrote to memory of 2332 2344 cmd.exe timeout.exe PID 2344 wrote to memory of 2332 2344 cmd.exe timeout.exe PID 2344 wrote to memory of 2332 2344 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\NjSQKDoByVnqm & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2236-0-0x0000000000820000-0x0000000000F0E000-memory.dmpFilesize
6.9MB
-
memory/2236-1-0x0000000077E90000-0x0000000077E92000-memory.dmpFilesize
8KB
-
memory/2236-2-0x0000000000820000-0x0000000000F0E000-memory.dmpFilesize
6.9MB
-
memory/2236-3-0x0000000000820000-0x0000000000F0E000-memory.dmpFilesize
6.9MB
-
memory/2236-4-0x0000000000820000-0x0000000000F0E000-memory.dmpFilesize
6.9MB
-
memory/2236-5-0x0000000000820000-0x0000000000F0E000-memory.dmpFilesize
6.9MB
-
memory/2236-6-0x0000000000820000-0x0000000000F0E000-memory.dmpFilesize
6.9MB