29fefa52d62f0b938f9763e139cd463c2fc91c14d71c0b3106fbe63cc2ed2bef

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe
Size

252KB
MD5

e82b979b54b6793bd50378129992ee77
SHA1

b5900026a65c3fc0d2ac839b63302b0593035abc
SHA256

29fefa52d62f0b938f9763e139cd463c2fc91c14d71c0b3106fbe63cc2ed2bef
SHA512

52c7aeeeb2f1ae5a357235f22fc99cef35c2fb992037b01f61a55c94c3e7abedf847d5b45f73175b7f82121bc6647861ad8ead7dc75efd741d5d91c955c0aea5
SSDEEP

3072:q2lOCm1WQTU84a3R2wfaZEt0BdmYphZcGXJRXj5z3vs473W/:q05UU89R2wf4EmrhhXBsO3

Score

10^/10

bootkit evasion persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Dofake.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Dofake.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
44	540	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023211-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3656	Dofake.exe

Loads dropped DLL 2 IoCs

pid	Process
4680	regsvr32.exe
540	rundll32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023211-4.dat	upx
behavioral2/memory/540-6-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral2/memory/540-128-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral2/memory/540-132-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral2/memory/540-133-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral2/memory/540-134-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral2/memory/540-135-0x0000000010000000-0x0000000010028000-memory.dmp	upx
behavioral2/memory/540-136-0x0000000010000000-0x0000000010028000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Dofake.exe
File opened (read-only)	\??\G:	Dofake.exe
File opened (read-only)	\??\H:	Dofake.exe
File opened (read-only)	\??\I:	Dofake.exe
File opened (read-only)	\??\J:	Dofake.exe
File opened (read-only)	\??\K:	Dofake.exe
File opened (read-only)	\??\L:	Dofake.exe
File opened (read-only)	\??\M:	Dofake.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msn388.dll	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msn388.dll	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ssdhile.dll	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dofake.exe	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Web.ini	rundll32.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\ssdhile.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ssdhile.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
540	rundll32.exe
540	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe
3656	Dofake.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4680	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	88
PID 3508 wrote to memory of 4680	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	88
PID 3508 wrote to memory of 4680	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	88
PID 3508 wrote to memory of 540	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	89
PID 3508 wrote to memory of 540	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	89
PID 3508 wrote to memory of 540	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	89
PID 3508 wrote to memory of 3656	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	98
PID 3508 wrote to memory of 3656	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	98
PID 3508 wrote to memory of 3656	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	98
PID 3508 wrote to memory of 4000	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	99
PID 3508 wrote to memory of 4000	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	99
PID 3508 wrote to memory of 4000	3508	e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e82b979b54b6793bd50378129992ee77_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\ssdhile.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 msn388.dll , InstallMyDll
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Windows\SysWOW64\Dofake.exe
  C:\Windows\System32\Dofake.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 375519961O57540.bat
  2⤵
  PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat

Filesize
2KB

MD5
ca630d5f49808049c6cbc5d988b5c77b

SHA1
eafdb342d68819a31dfcda74c2cd81e9ad6839c0

SHA256
721da9727445da3231cdd67a420fc35d72ae5d99a3f2c4c86ed06054ea768a8e

SHA512
c0c96f28961159effc70f6ddd5dd36e95e35acaf199ca8786e73d021e61b9b1801e1aaf578043753699514f5a696834a19b89775331c49c07fc9eeb0b31cc4a7

Download Submit
C:\Windows\SysWOW64\Dofake.exe

Filesize
136KB

MD5
d8b576dbdb38ac95e95a44b9bf7f9e82

SHA1
29873acb8e568b848af39d69bdca670827373ced

SHA256
7b78fa8a2eb65956fc8a21e8007c5d5761a74cad5f27a007edd6ac2ffe26f778

SHA512
2337cff67527c451dd23b5330e20ec31469c8f1e8b2c95204854111a715e23114de87e22396b509d96df37c629cfbc1ddafd3ddf241bf58ec9f140f45c4311c0

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
1KB

MD5
0b249d1b3a84390779223111249b4662

SHA1
58c906c8b3ff9c275801ff49b02c4a31b840efbd

SHA256
4bd5f6597a0810456422e860545db2bbe48024ee962447d0ca35e7429cb16860

SHA512
88d975a79f2c04d10c4026a6b8a2900d62c4339fdcb1e275f0c0cefc962940a2178f152c1cdc824970edc898ef666d62a964efad9e2c22fa205ff5fbb9c2e531

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
1KB

MD5
65f92e64ae142fd353872e94ac353685

SHA1
2bc6fea466f193b1d97df68444b4df4d1fff9785

SHA256
218719121d25f71154216e2e92f7919fc975253b78f4ab3900f70d28704847d0

SHA512
0c9b3a3a34d72bbada8000e9213150e240a1b5532ec171a05bfcd648306ecbfc8fc70357a3618cf35f3897d38e190b7455f80a779baef336dcd2629a2e8ebe40

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
1KB

MD5
db78883e76b96550825bff493ae03c25

SHA1
073fa24e1571ac6d31e2817e61d34af12db753e4

SHA256
adbeb9af91ddff8c65f7f04a9da99274973c9c086298a73b2cd69b67cb78dff4

SHA512
f96e19045b54916d3e95fe2dd7df5f3ce7af17b3580b9ef9ba2c906dec7602393322d6837fcc8258003a06da2283a5e6f3789ae08dc88f326bf78b498df954fb

Download Submit
C:\Windows\SysWOW64\msn388.dll

Filesize
31KB

MD5
de7193271e6faf64181ff16fb8ca7e7b

SHA1
b19cfdbbea3625e5d4f21885234830185bb7a8d6

SHA256
224afbe030c0fbfef5482edc31c54f4daf62e0513bc518b18f95bd8e160c23be

SHA512
f76425fa335b6b5cc0ed279bc50ebee12a3624abc784adf106707ca3fd39eff973991c9a8b9e2a37205a5b54c1d45d63f6eabe49c25c3ed2cecea8841013bc79

Download Submit
C:\Windows\SysWOW64\ssdhile.dll

Filesize
56KB

MD5
b54af4f059f9f6eb2d4c7d5d32484335

SHA1
3dc1145b5bed16b87ed5d444b8b90a8d6aac2500

SHA256
8376c4e4b7b3e2e00e6b89ffd9b2ac254b0958a5f63d6dd14c72fd5503e6cdde

SHA512
b84b439063ecf25014638dd686637e3887da901ff54b4c37af45b395e3a235ebf55d1833c5a83fa2ad7f02a1f619145661f7be7e556dd92adc3d147059c3a59d

Download Submit
memory/540-6-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/540-128-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/540-132-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/540-133-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/540-134-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/540-135-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/540-136-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download