Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
362073a5ce3273ad4dcfc8e6c47ec3ca
-
SHA1
7948c767c9d666b4fd73d7b6180c5fd78c302ac1
-
SHA256
e569998290b8e57cbfeea4f35425d6c79e4a6cf1bf56b316c01d8f91d269396f
-
SHA512
15d048fbb1ab5da75818a1ea21a1d7ed4f97b394281c677c7e7a08c1291cb514500ef3078ae358d1e1eb5c9bb294ebacf075f3b3b40631bce01c92d8f00c0377
-
SSDEEP
49152:niHexSQINK8mkzI+xNPfCH+CjIcZWzjR:niHfpNNMkpqHbIZ
Malware Config
Extracted
buer
https://loddd01.info/
https://loddd02.info/
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1168-3-0x000000003F1E0000-0x000000003F626000-memory.dmp buer behavioral2/memory/1168-4-0x000000003F1E0000-0x000000003F626000-memory.dmp buer behavioral2/memory/1168-5-0x000000003F1E0000-0x000000003F626000-memory.dmp buer behavioral2/memory/1168-6-0x000000003F1E0000-0x000000003F626000-memory.dmp buer behavioral2/memory/1168-7-0x000000003F1E0000-0x000000003F626000-memory.dmp buer behavioral2/memory/1168-13-0x000000003F1E0000-0x000000003F626000-memory.dmp buer behavioral2/memory/4636-16-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-17-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-18-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-19-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-20-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-21-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-22-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-23-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-24-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-25-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-28-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-29-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer behavioral2/memory/4636-30-0x000000003FBB0000-0x000000003FFF6000-memory.dmp buer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exeplugin.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ plugin.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exeplugin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion plugin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion plugin.exe -
Deletes itself 1 IoCs
Processes:
plugin.exepid process 4636 plugin.exe -
Executes dropped EXE 1 IoCs
Processes:
plugin.exepid process 4636 plugin.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exeplugin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine plugin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exeplugin.exepid process 1168 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe 4636 plugin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1184 3184 WerFault.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exeplugin.exepid process 1168 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe 1168 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe 4636 plugin.exe 4636 plugin.exe 4636 plugin.exe 4636 plugin.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exeplugin.exedescription pid process target process PID 1168 wrote to memory of 4636 1168 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe plugin.exe PID 1168 wrote to memory of 4636 1168 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe plugin.exe PID 1168 wrote to memory of 4636 1168 362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe plugin.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe PID 4636 wrote to memory of 3184 4636 plugin.exe secinit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UBlockPlugin\plugin.exeC:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\362073a5ce3273ad4dcfc8e6c47ec3ca_JaffaCakes118.exe" ensgJJ2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\UBlockPlugin\plugin.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 2204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3184 -ip 31841⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\UBlockPlugin\plugin.exeFilesize
1.6MB
MD5362073a5ce3273ad4dcfc8e6c47ec3ca
SHA17948c767c9d666b4fd73d7b6180c5fd78c302ac1
SHA256e569998290b8e57cbfeea4f35425d6c79e4a6cf1bf56b316c01d8f91d269396f
SHA51215d048fbb1ab5da75818a1ea21a1d7ed4f97b394281c677c7e7a08c1291cb514500ef3078ae358d1e1eb5c9bb294ebacf075f3b3b40631bce01c92d8f00c0377
-
memory/1168-0-0x000000003F1E0000-0x000000003F626000-memory.dmpFilesize
4.3MB
-
memory/1168-1-0x0000000077A84000-0x0000000077A86000-memory.dmpFilesize
8KB
-
memory/1168-2-0x000000003F1E1000-0x000000003F1E5000-memory.dmpFilesize
16KB
-
memory/1168-3-0x000000003F1E0000-0x000000003F626000-memory.dmpFilesize
4.3MB
-
memory/1168-4-0x000000003F1E0000-0x000000003F626000-memory.dmpFilesize
4.3MB
-
memory/1168-5-0x000000003F1E0000-0x000000003F626000-memory.dmpFilesize
4.3MB
-
memory/1168-6-0x000000003F1E0000-0x000000003F626000-memory.dmpFilesize
4.3MB
-
memory/1168-7-0x000000003F1E0000-0x000000003F626000-memory.dmpFilesize
4.3MB
-
memory/1168-13-0x000000003F1E0000-0x000000003F626000-memory.dmpFilesize
4.3MB
-
memory/3184-26-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/4636-16-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-22-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-17-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-18-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-19-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-20-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-21-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-15-0x000000003FBB1000-0x000000003FBB5000-memory.dmpFilesize
16KB
-
memory/4636-23-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-24-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-25-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-14-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-28-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-29-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB
-
memory/4636-30-0x000000003FBB0000-0x000000003FFF6000-memory.dmpFilesize
4.3MB