48e44a9af4e6f6f1444aaeb8f6f9af45f64b26bef269af3ceac3224d5b5b3fe1

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe
Size

110KB
MD5

e8608a697d966ee401d5a3520681a77d
SHA1

a4ed7b65797c91cdcd87d6793c79cec0ed3a0016
SHA256

48e44a9af4e6f6f1444aaeb8f6f9af45f64b26bef269af3ceac3224d5b5b3fe1
SHA512

9c91a1b89faae9175a9b7c5948d0f1f8f59e50aa6d9cff21ef9b5fe56b079f4f194b47c0fced7af8477ffb2e78f532e7998af20cf324e1939055e30b97986c1e
SSDEEP

3072:Y9amc9x9gVw3XM9nYqm0LdGbSBu43gIy1PzG3ow:Yk8SGnYqUbSU8ytzG3F

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4352	avp.exe

Loads dropped DLL 2 IoCs

pid	Process
4420	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe
4420	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\od3mdi.dll	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delplmE.bat	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4420	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4420	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4064	4420	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe	87
PID 4420 wrote to memory of 4064	4420	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe	87
PID 4420 wrote to memory of 4064	4420	e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8608a697d966ee401d5a3520681a77d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c delplme.bat
  2⤵
  PID:4064

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delplmE.bat

Filesize
306B

MD5
9f471ff7b311dcaca4f05840d5de4fd6

SHA1
4068e517ddc00961c7f0ceb567bfde576c0a2406

SHA256
1dcab5091da683a4b7a65451e95c9da2caab8fc4ca628b2831831990a1155146

SHA512
40b801b3aea944cae2382c859bf42b9c318c689e2fe5f1f5ac1761052c0019382c0ac027853bccc10f356496e5ee526950050b69db81f82a3c32608d7609050c

Download Submit
C:\Windows\SysWOW64\od3mdi.dll

Filesize
238KB

MD5
ff120740efe923016dba33226f18bd4f

SHA1
bb94fae53bd7ecac8f8a3380bdc266d5b7a06214

SHA256
8c29b4b345337d8e5900b7c29de8f243105224b26fd8e4b94d8471acfdfb0711

SHA512
9406fa52a828b59c50b15607107b31598ea2ebccf788e8f0b97be8c500c11ff473cef2a49fe224e2dc337474978d235e98d33a939e86b3f708c0f5457bd0f06c

Download Submit
C:\Windows\avp.exe

Filesize
18KB

MD5
c9264c6b875324959685ae60bbd2118f

SHA1
3bf262dc738193060dafd07356ee44112c3d85aa

SHA256
248fc468fe9a4d0962f222e9902745b6872702336b89eb181701b0816f236999

SHA512
7bd30d4aba218feeeba0835a69936093227c32ccabcf7923be81d8187624f931e1016d69acdd8ec457e81531690d6ec8cc1070864dc3eb22bc6d90a18f1fc73a

Download Submit
memory/4352-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4352-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4420-5-0x0000000002B60000-0x0000000002BA8000-memory.dmp

Filesize
288KB

Download
memory/4420-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4420-13-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads