Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe
-
Size
904KB
-
MD5
f4e45d6fcdb296e604831c7cd8ca06ca
-
SHA1
8af6e21120347285bfc997a39366afd3711f5156
-
SHA256
06e7e6c8552e077500936f5131827ac641fb19c559a8d32f1da7c3ac30328592
-
SHA512
051d51ea66d0cc3b0664f8ad1f677198f553cd06220f2b894398fba4439c4d682c858cec86462914230771d8a57d29da75f62304e7b0cf2ced0ccd9008673a24
-
SSDEEP
24576:7RFDmH3VwqA888888888888888888888288888x888v888+88F88W88v88Q8e8HJ:2wqA888888888888888888888288888j
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2968 x.exe 2612 ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe 3000 gbvgbv10.exe 2492 gbvgbv10.exe -
Loads dropped DLL 9 IoCs
pid Process 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 2968 x.exe 2968 x.exe 2492 gbvgbv10.exe 3000 gbvgbv10.exe 3000 gbvgbv10.exe -
resource yara_rule behavioral1/files/0x000c000000012255-33.dat vmprotect behavioral1/memory/2612-46-0x0000000000400000-0x000000000056F000-memory.dmp vmprotect behavioral1/memory/2612-45-0x0000000000400000-0x000000000056F000-memory.dmp vmprotect behavioral1/memory/2612-63-0x0000000000400000-0x000000000056F000-memory.dmp vmprotect -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SfcDisable = "4294967197" gbvgbv10.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\gbvgbv10.exe x.exe File opened for modification C:\Windows\SysWOW64\gbvgbv10.exe x.exe File opened for modification C:\Windows\SysWOW64\comres.dll gbvgbv10.exe File opened for modification C:\Windows\SysWOW64\comres.dll.ocx gbvgbv10.exe File created C:\Windows\SysWOW64\comres.dll.ocx gbvgbv10.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\fonts\dbr10022.ttf x.exe File opened for modification C:\Windows\fonts\dbr10022.ttf x.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2968 x.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 2612 ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe 2612 ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2968 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2968 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2968 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 28 PID 2288 wrote to memory of 2968 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 28 PID 2968 wrote to memory of 1116 2968 x.exe 20 PID 2288 wrote to memory of 2612 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 29 PID 2288 wrote to memory of 2612 2288 f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2492 2968 x.exe 30 PID 2968 wrote to memory of 2492 2968 x.exe 30 PID 2968 wrote to memory of 2492 2968 x.exe 30 PID 2968 wrote to memory of 2492 2968 x.exe 30 PID 2968 wrote to memory of 3000 2968 x.exe 31 PID 2968 wrote to memory of 3000 2968 x.exe 31 PID 2968 wrote to memory of 3000 2968 x.exe 31 PID 2968 wrote to memory of 3000 2968 x.exe 31 PID 3000 wrote to memory of 2388 3000 gbvgbv10.exe 32 PID 3000 wrote to memory of 2388 3000 gbvgbv10.exe 32 PID 3000 wrote to memory of 2388 3000 gbvgbv10.exe 32 PID 3000 wrote to memory of 2388 3000 gbvgbv10.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\gbvgbv10.exeC:\Windows\system32\gbvgbv10.exe C:\Windows\system32\dbr10022.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\x.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
PID:2492
-
-
C:\Windows\SysWOW64\gbvgbv10.exeC:\Windows\system32\gbvgbv10.exe C:\Windows\system32\dbr99005.ocx pfjieaoidjglkajd4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵PID:2388
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe"C:\Users\Admin\AppData\Local\Temp\ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
700KB
MD5f7c05830acea357e67a3f911dc59a86c
SHA1ff099c7e8e6364309b53514795f33b5a76cffec8
SHA2561299d2d0a52326fc157b69f129c9f57854bc127f0a6d137e15cafb0cfe46ba5f
SHA512ea9ca7146b89cb3ef52f939b5de049ce346daa6a2fdd4713e5f879c9635b252577ea4c2b88bd01d13f3880d16801caf65d57140c88f815912dea8939d3cc661d
-
Filesize
540B
MD51c00bea82b06bd6a3e01305e067daa28
SHA12adda1c3f58d5211b1242e5c35d0f4987142d803
SHA256a6708f86162119d1e924bdd6cc33ffea69ab509c6e41f2a6cd9cd6e4b456a768
SHA512f8b81c0d650a140537ee119df9020921b3436c5a715d91fece524295bc7f249e80f00ef57da777d71530c7322d14b4f6b7b8ae2e8970a5edfb43587fd80ee707
-
Filesize
30KB
MD54c2aed3919ed903963a6a0b194e1ecc5
SHA140bc082029c0a18154f88b30497e07a9cec3f63f
SHA256e4303e985a89917482b8f57d08a1ce894180ad6fb9dd8ddb516962175f3808c7
SHA5127d2e43e34dc68d55358d0e899c522a4518b1e4051a4c3850c68d7ea5a1e006150449a980aea475d7a6a158627b5085a6b4c3afcac4e8dab752e5afc455754050
-
Filesize
37KB
MD5a2d0c7ed26afdf05ebffa4f6f1e8b593
SHA10af172efb40bfccf3996d9c540eda98050d71c63
SHA256f7fd8cb71bd441416d8e294bd91a6f9ce1b56ccee3b8545d64043c17ee0eff56
SHA5126966a7ac93b2ba0f84c06829534b0e767408eff7534f2461b8492a5c527fe7240f276bd346780dc29b5901155e5cf1102df1ca3a3ae1442a0b3599aa459c594a
-
Filesize
8KB
MD576948da567806229012ad2a3d697e468
SHA1027b9b69eda64b4872647d49f88236603c2433d3
SHA25673c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3
SHA51298af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d