e5aff10a38972a68a89578b616cb6332b7b01f4c1900660fcc7591b769c402da

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8c31929ecd722a2e9b4a4b6df5faaa6_JaffaCakes118.dll
Size

114KB
MD5

e8c31929ecd722a2e9b4a4b6df5faaa6
SHA1

1444e87a79d1415e53ca619fd64468a9b1b72bae
SHA256

e5aff10a38972a68a89578b616cb6332b7b01f4c1900660fcc7591b769c402da
SHA512

608552dfcb011bfc3e7c57f3c6ca8870641effab4434d2953c44d2fe5392874fba9b03499192858580543dca98226e97b6ed5c18642c929163dc3deef2c36036
SSDEEP

1536:2cHXQ/VFpDPWI5Fzm4CQgDKJaccxUtrPIEbV/xRjvlZagwM3HD:N3UFRuI5FyYg+cxUVPI8phvlZagf

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1936	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1936	2936	rundll32.exe	28
PID 2936 wrote to memory of 1936	2936	rundll32.exe	28
PID 2936 wrote to memory of 1936	2936	rundll32.exe	28
PID 2936 wrote to memory of 1936	2936	rundll32.exe	28
PID 2936 wrote to memory of 1936	2936	rundll32.exe	28
PID 2936 wrote to memory of 1936	2936	rundll32.exe	28
PID 2936 wrote to memory of 1936	2936	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8c31929ecd722a2e9b4a4b6df5faaa6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8c31929ecd722a2e9b4a4b6df5faaa6_JaffaCakes118.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-0-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1936-3-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download