Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 23:33
Behavioral task
behavioral1
Sample
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe
-
Size
2.7MB
-
MD5
a9a3893285e274d60a9bb5b85f4dfcc4
-
SHA1
960237e74a28393b0f906a46acffdb4d6160b763
-
SHA256
51e9ccfd1c8ae13270052947f8dc6e3386c585bf733228a8dc0e028e1c31223f
-
SHA512
b22237255cdcca7c9cdd1dd0664368a967b09ad672f57beb96891ab6abfd6bf4c2d7161f1f9e9bc468539811494c8fc1c6d6417c0b339c22fc90769addfa3bc0
-
SSDEEP
49152:bH/xSb7E7SkThT0P6arzLNKYr4xMGL6kM8qhcFgSY81A9n5efYFVrZMsptwUrcS7:LwMGkThT0PjjNcxMGfGNSA9n5kYzrXpD
Malware Config
Extracted
cryptbot
oct5m.top
oct5e.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1572-0-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-2-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-3-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-5-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-4-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-111-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-117-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-118-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-121-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-124-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-127-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-130-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-133-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-136-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-140-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-142-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-145-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-148-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-151-0x0000000000D40000-0x000000000142E000-memory.dmp themida behavioral2/memory/1572-154-0x0000000000D40000-0x000000000142E000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exepid process 1572 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exepid process 1572 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe 1572 a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9a3893285e274d60a9bb5b85f4dfcc4_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rqHXlUorQJQk\_Files\_Information.txtFilesize
1KB
MD56a02a0264dfe773d49d97b1c5b773d0e
SHA1415496ee9208e9feb038d539b8b8079d17333c2e
SHA256f68d9cc2308b955c1b2b5341a88ffaae0c5f6ef6cb64f83f3691442160663a75
SHA512e5c9b7403257a8204f2be6fa11201d9c103b30028cd176614666962a5af6fcb239bab54c382f4924641ea0e1abcef61868ffa5284722016847184d80d461dbcd
-
C:\Users\Admin\AppData\Local\Temp\rqHXlUorQJQk\_Files\_Information.txtFilesize
4KB
MD5a16b2eb966aa4535c3f1f1f37b929ac9
SHA1edf061bdd878ac5605f6c6efb0242532bd9ca8d6
SHA25618e801d32234e95b32d72b5834e5e7332d7eee2712f2d73f2658b0ebdcd80b34
SHA5121f2d6909795c0a43e45c25e85fa3a80870ab583b70ab4d567f64ef5a5d28523cc11a0627e1cd89531914d1d94190a3a65fd5f10b3ff726a9b6602da4eddcb28d
-
C:\Users\Admin\AppData\Local\Temp\rqHXlUorQJQk\_Files\_Screen_Desktop.jpegFilesize
54KB
MD54f833588d0fa1ebc155a3ea5ea56bb24
SHA143e8255af03b7b64aaf1c7c4de124454a78959c3
SHA256491aeba511706f6645aa2231d7accd3abf3fce99006fe5d8748a91b0a495e9b2
SHA5126c323863037b1abc064bea119263c1be42cddd4f203b1b4471c278993bb6cbdd1d5ba1b7e3a2d21e8d040fe45b8229406c3d3a71f675896ac26d2069b7e0d41f
-
C:\Users\Admin\AppData\Local\Temp\rqHXlUorQJQk\inAFIickAUAOe.zipFilesize
49KB
MD5e642fe46fc109a5d74599125a914a956
SHA194888b33a68e48fed74828d034dcf51621720bca
SHA2569dc7664394b9770e80c6acc848982de5e568ecdacb263bb1a7ef76b27603cd26
SHA5120f5d67b03a50b479dad214d6b84ac854ed033b87be6d500d47aa3434c059f0ad14be25f5f62adc7ebec39771fddb679a2112137bf04fa159deaa0da5b9470a84
-
memory/1572-124-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-1-0x0000000077B04000-0x0000000077B06000-memory.dmpFilesize
8KB
-
memory/1572-5-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-130-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-127-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-111-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-117-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-118-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-0-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-121-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-3-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-4-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-2-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-133-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-136-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-140-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-142-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-145-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-148-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-151-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB
-
memory/1572-154-0x0000000000D40000-0x000000000142E000-memory.dmpFilesize
6.9MB