Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 13:36
Static task
static1
Behavioral task
behavioral1
Sample
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
41af7998ebb519e0a0ca9635a865be5d
-
SHA1
68a7613a8d4483efb67f3794c245420e0daf2f95
-
SHA256
f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
-
SHA512
31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb
-
SSDEEP
49152:OULOXCsxeOrcY1kC2Palwy7FoSzWXxplecp6Qqst5J:hqyszw0kC2zyFkX4cp6ct3
Malware Config
Extracted
cryptbot
cede04.info
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exepid process 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5056 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exepid process 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exepid process 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.execmd.exedescription pid process target process PID 2064 wrote to memory of 404 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 404 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 404 2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe cmd.exe PID 404 wrote to memory of 5056 404 cmd.exe timeout.exe PID 404 wrote to memory of 5056 404 cmd.exe timeout.exe PID 404 wrote to memory of 5056 404 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\WBY65aI4SgZ & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WBY65aI4SgZ\47283761.txtFilesize
156B
MD5b5089e0c5a3d5377e9bd19c0557ef04e
SHA19402e326be3d240e234c06892b15c24e93c93eb8
SHA256d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5
SHA512942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13
-
C:\ProgramData\WBY65aI4SgZ\Files\_Info.txtFilesize
8KB
MD5bd4b1bb17032dd8057d39bd7b2b4fe0f
SHA1f96961df0eee3798c7193c45588c097865663ca9
SHA25614511422960efadd68daddc4ee5fbe0970dc416d85150df8c5669a18e5a023f6
SHA5123cf9bf70ad83ed7c32cb98d2eabb8a5e7b16617759ee397f7218ff1bebaf2ba4ba5e4708c0f82d84c707bdb25bc4c003b02ffc9db6a9dc2d061cfce0c4f463df
-
C:\ProgramData\WBY65aI4SgZ\Files\_Screen.jpgFilesize
49KB
MD5dc204352a46ce5be39ac23b2935cf278
SHA17522c6ecb18f4562d252beea87bb0e2543eff310
SHA2561004fdbd84d6d5fb9b7190fcd719de63886395d08c835a7d47381a61084ca1d1
SHA512452ce1aab40fc8b34ec0feb60a0d7e0ce2508be553b89f2fe98287c11c951b2fd1e6f551528440e49b587ce5caaa5109ff25282d419050bbe73ad9555b6a758a
-
C:\ProgramData\WBY65aI4SgZ\MOZ_CO~1.DBFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\ProgramData\WBY65aI4SgZ\kkAgwPhukIfNwhq.zipFilesize
44KB
MD58a090084f25e06b71123e65ca16dfe46
SHA1357955674ab7d42270c360bad8c1006e540bfd10
SHA256a26832249643499e3a14cb5c68adf391ea11c9d301f537919fd4c8514af0bdfe
SHA5127c7a60dcd170dd9d38530af409980932c4b8a22798162f5658ee128ade7f66190657d2bec0dbd0ec3d1c62cab61c32b50c1ac9a567e891b1788733a86142a06e
-
memory/2064-156-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-164-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-16-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-17-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-20-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-10-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/2064-11-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2064-145-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-152-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-154-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-12-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2064-0-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-157-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-159-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-161-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-9-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/2064-166-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-169-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-172-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-175-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-179-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-182-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-184-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-187-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-190-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-193-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-194-0x00000000009A0000-0x0000000000EBB000-memory.dmpFilesize
5.1MB
-
memory/2064-13-0x00000000009A1000-0x0000000000A00000-memory.dmpFilesize
380KB
-
memory/2064-1-0x0000000077794000-0x0000000077796000-memory.dmpFilesize
8KB