429c72a0f52413d06c982783b7451f96b03113d22e9fd0b01b827f9acf0e394e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
Size

409KB
MD5

194b0b41606fa1401d6cf1f4ac32cd49
SHA1

d802504579c45d656bab649d359859c6325edc95
SHA256

429c72a0f52413d06c982783b7451f96b03113d22e9fd0b01b827f9acf0e394e
SHA512

6df4499efb3875eb9f9e2aace331b0fd6e4715f5a40f08ab5e5fc0f0f091439f89769f8e04f724d1625b45d410d61b75154a530a7e3ca6eebad8cfb8dd27ce9c
SSDEEP

12288:FiGQKNNyxxNNNehbNeeeMo11eo3bQCnzvB8ksrajMfkKa0Mfgd5YZg3DcrQVAF:FiGQKNNyxxNNNehbNeeeT11eICksWYcL

Score

8^/10

evasion trojan vmprotect

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

Processes:

194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\1394ohci.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\BthEnum.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\megasr.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DRIVERS\rasacd.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\EhStorTcgDrv.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbGD.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\UsbHub3.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\xboxgip.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas2i.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\MbbCx.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\MegaSas2i.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\ndiswan.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\ADP80XX.SYS	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\cht4vx64.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\ufx01000.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\vmbus.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\processr.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\acpipmi.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\3ware.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Drivers\MsRPC.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\usbohci.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\sdbus.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\vsmraid.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Drivers\Beep.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\intelpmax.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Drivers\UcmTcpciCx.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\usbprint.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\VMBusHID.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\hvservice.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\ufxsynopsys.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\BTHMINI.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\NDKPing.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\PktMon.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\stornvme.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\tsusbhub.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\tunnel.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Drivers\UcmCx.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Drivers\mshwnclx.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\mlx4_bus.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\NetAdapterCx.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\tpm.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\storvsc.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\USBSTOR.SYS	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\amdi2c.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\msiscsi.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sss.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\modem.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DRIVERS\wdiwifi.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\pciide.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\wacompen.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\msgpiowin32.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\spaceparser.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\SpatialGraphFilter.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\CAD.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\hwpolicy.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\iaStorAVC.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3456-0-0x0000000000400000-0x00000000004AF000-memory.dmp	vmprotect
behavioral2/memory/3456-2-0x0000000000400000-0x00000000004AF000-memory.dmp	vmprotect
behavioral2/memory/3456-5-0x0000000000400000-0x00000000004AF000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

Processes:

194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

pid process

3456 194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
3456 194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

pid	process
3456	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
3456	194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194b0b41606fa1401d6cf1f4ac32cd49_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3456-0-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3456-2-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3456-3-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3456-5-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3456-6-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download