Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 03:01

General

  • Target

    f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe

  • Size

    904KB

  • MD5

    f4e45d6fcdb296e604831c7cd8ca06ca

  • SHA1

    8af6e21120347285bfc997a39366afd3711f5156

  • SHA256

    06e7e6c8552e077500936f5131827ac641fb19c559a8d32f1da7c3ac30328592

  • SHA512

    051d51ea66d0cc3b0664f8ad1f677198f553cd06220f2b894398fba4439c4d682c858cec86462914230771d8a57d29da75f62304e7b0cf2ced0ccd9008673a24

  • SSDEEP

    24576:7RFDmH3VwqA888888888888888888888288888x888v888+88F88W88v88Q8e8HJ:2wqA888888888888888888888288888j

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1116
      • C:\Users\Admin\AppData\Local\Temp\f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\f4e45d6fcdb296e604831c7cd8ca06ca_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Users\Admin\AppData\Local\Temp\x.exe
          "C:\Users\Admin\AppData\Local\Temp\x.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\gbvgbv10.exe
            C:\Windows\system32\gbvgbv10.exe C:\Windows\system32\dbr10022.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\x.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies WinLogon
            • Drops file in System32 directory
            PID:2492
          • C:\Windows\SysWOW64\gbvgbv10.exe
            C:\Windows\system32\gbvgbv10.exe C:\Windows\system32\dbr99005.ocx pfjieaoidjglkajd
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              5⤵
                PID:2388
          • C:\Users\Admin\AppData\Local\Temp\ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe
            "C:\Users\Admin\AppData\Local\Temp\ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe"
            3⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of SetWindowsHookEx
            PID:2612

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\ÍêÃÀСǿÂÛ̳Ãâ·Ñ°æ.exe

              Filesize

              700KB

              MD5

              f7c05830acea357e67a3f911dc59a86c

              SHA1

              ff099c7e8e6364309b53514795f33b5a76cffec8

              SHA256

              1299d2d0a52326fc157b69f129c9f57854bc127f0a6d137e15cafb0cfe46ba5f

              SHA512

              ea9ca7146b89cb3ef52f939b5de049ce346daa6a2fdd4713e5f879c9635b252577ea4c2b88bd01d13f3880d16801caf65d57140c88f815912dea8939d3cc661d

            • C:\Windows\fonts\dbr10022.ttf

              Filesize

              540B

              MD5

              1c00bea82b06bd6a3e01305e067daa28

              SHA1

              2adda1c3f58d5211b1242e5c35d0f4987142d803

              SHA256

              a6708f86162119d1e924bdd6cc33ffea69ab509c6e41f2a6cd9cd6e4b456a768

              SHA512

              f8b81c0d650a140537ee119df9020921b3436c5a715d91fece524295bc7f249e80f00ef57da777d71530c7322d14b4f6b7b8ae2e8970a5edfb43587fd80ee707

            • \Users\Admin\AppData\Local\Temp\x.exe

              Filesize

              30KB

              MD5

              4c2aed3919ed903963a6a0b194e1ecc5

              SHA1

              40bc082029c0a18154f88b30497e07a9cec3f63f

              SHA256

              e4303e985a89917482b8f57d08a1ce894180ad6fb9dd8ddb516962175f3808c7

              SHA512

              7d2e43e34dc68d55358d0e899c522a4518b1e4051a4c3850c68d7ea5a1e006150449a980aea475d7a6a158627b5085a6b4c3afcac4e8dab752e5afc455754050

            • \Windows\SysWOW64\dbr10022.ocx

              Filesize

              37KB

              MD5

              a2d0c7ed26afdf05ebffa4f6f1e8b593

              SHA1

              0af172efb40bfccf3996d9c540eda98050d71c63

              SHA256

              f7fd8cb71bd441416d8e294bd91a6f9ce1b56ccee3b8545d64043c17ee0eff56

              SHA512

              6966a7ac93b2ba0f84c06829534b0e767408eff7534f2461b8492a5c527fe7240f276bd346780dc29b5901155e5cf1102df1ca3a3ae1442a0b3599aa459c594a

            • \Windows\SysWOW64\dbr99005.ocx

              Filesize

              8KB

              MD5

              76948da567806229012ad2a3d697e468

              SHA1

              027b9b69eda64b4872647d49f88236603c2433d3

              SHA256

              73c5b0cbd6e42dad24ee43750a8aee23a8a00b245e8aba577f88563f73eabbd3

              SHA512

              98af9d35cafa124a0ec4a37a44e6e541641cbf474ccefabfe3c30fea15d671496e8ee37a770f727f1651032dc9496fea664423ac7e5b7c46aa1bfa9d8c39a827

            • \Windows\SysWOW64\gbvgbv10.exe

              Filesize

              43KB

              MD5

              51138beea3e2c21ec44d0932c71762a8

              SHA1

              8939cf35447b22dd2c6e6f443446acc1bf986d58

              SHA256

              5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

              SHA512

              794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

            • memory/1116-26-0x0000000002D90000-0x0000000002D91000-memory.dmp

              Filesize

              4KB

            • memory/2288-8-0x00000000007A0000-0x00000000007B5000-memory.dmp

              Filesize

              84KB

            • memory/2288-15-0x00000000007A0000-0x00000000007B5000-memory.dmp

              Filesize

              84KB

            • memory/2492-62-0x0000000010000000-0x000000001000E000-memory.dmp

              Filesize

              56KB

            • memory/2612-46-0x0000000000400000-0x000000000056F000-memory.dmp

              Filesize

              1.4MB

            • memory/2612-45-0x0000000000400000-0x000000000056F000-memory.dmp

              Filesize

              1.4MB

            • memory/2612-63-0x0000000000400000-0x000000000056F000-memory.dmp

              Filesize

              1.4MB

            • memory/2968-27-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

            • memory/3000-55-0x0000000010000000-0x0000000010006000-memory.dmp

              Filesize

              24KB

            • memory/3000-57-0x0000000000120000-0x000000000012E000-memory.dmp

              Filesize

              56KB