5e5ac8cfc837f39fb6eb6e9a2177d688acd5454a84456a7faff349ca5a3b0eb0

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e961af210377cab2983914fbb111f3bc_JaffaCakes118.exe
Size

469KB
MD5

e961af210377cab2983914fbb111f3bc
SHA1

1b33d9dccd2e074380fea43b30356b206a575cc4
SHA256

5e5ac8cfc837f39fb6eb6e9a2177d688acd5454a84456a7faff349ca5a3b0eb0
SHA512

670865875e8962833ffb91cd3a17bec39c999fc903bdde67eba373a655c5aeee2c32c695690db74129a0754bb0125f981e7d0e8652df46613311d68f30c58c14
SSDEEP

12288:Ab7jkD3v0VBRxE5MBGlcM7UdTLI7UZWG1j3FLiUh:Ab3w3v8BRqEM7UdgU1j35i

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	smss.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	smss.exe
File opened for modification	\??\PhysicalDrive0	e961af210377cab2983914fbb111f3bc_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\smss.exe	e961af210377cab2983914fbb111f3bc_JaffaCakes118.exe
File opened for modification	C:\Windows\system\smss.exe	e961af210377cab2983914fbb111f3bc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	e961af210377cab2983914fbb111f3bc_JaffaCakes118.exe
Token: SeDebugPrivilege	2832	smss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	smss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2528	2832	smss.exe	29
PID 2832 wrote to memory of 2528	2832	smss.exe	29
PID 2832 wrote to memory of 2528	2832	smss.exe	29
PID 2832 wrote to memory of 2528	2832	smss.exe	29

C:\Users\Admin\AppData\Local\Temp\e961af210377cab2983914fbb111f3bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e961af210377cab2983914fbb111f3bc_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system\smss.exe
C:\Windows\system\smss.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\smss.exe

Filesize
469KB

MD5
e961af210377cab2983914fbb111f3bc

SHA1
1b33d9dccd2e074380fea43b30356b206a575cc4

SHA256
5e5ac8cfc837f39fb6eb6e9a2177d688acd5454a84456a7faff349ca5a3b0eb0

SHA512
670865875e8962833ffb91cd3a17bec39c999fc903bdde67eba373a655c5aeee2c32c695690db74129a0754bb0125f981e7d0e8652df46613311d68f30c58c14

Download Submit
memory/2184-15-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/2184-9-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2184-4-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2184-5-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2184-14-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2184-13-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2184-12-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2184-11-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2184-25-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2184-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2184-8-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2184-10-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2184-7-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2184-6-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2184-19-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2184-16-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2184-20-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2184-3-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2184-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2184-28-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2832-22-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2832-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2832-26-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2832-41-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2832-42-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2832-40-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2832-39-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2832-38-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2832-37-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2832-36-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2832-35-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2832-34-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2832-33-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2832-32-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2832-31-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2832-30-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2832-23-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2832-27-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2832-43-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2832-44-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads