Overview

overview

7

Static

static

7

f5096a7fce...18.exe

windows7-x64

7

f5096a7fce...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 04:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe

  • Size

    328KB

  • MD5

    f5096a7fced94ad12eb72672154e8c83

  • SHA1

    219c29e2d8e2ae5990bbbbee2302297bfefebb56

  • SHA256

    49b9054ea9cbca7c9c4371b744f22f7f8304027a83ebdb7d7e64334d4bd6e6fc

  • SHA512

    c57b1028f6e63f2424d14d9d4d8a328ef692d1efa26ffa8dacfcebd5c10008254522f01a4af5b3dbb2dc70429365d941ecbefdf79287f5308485679d2195c44b

  • SSDEEP

    6144:UcMedZ3FTDSm9PXfrtVNgzSdVr3gRGPKuSUzzPAm704QuBEmot5:R9Z3FTDx9PP51T3dPNzyC6t5

Score
7/10
bootkitpersistenceupx

Malware Config

Signatures

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Modifies system certificate store
    PID:2956

Network

  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    csc3-2010-crl.verisign.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    csc3-2010-crl.verisign.com
    IN A
    Response
    csc3-2010-crl.verisign.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    crl.edge.digicert.com
    crl.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-se
    GET
    http://csc3-2010-crl.verisign.com/CSC3-2010.crl
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    192.229.221.95:80
    Request
    GET /CSC3-2010.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: csc3-2010-crl.verisign.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 4725
    Cache-Control: public, max-age=3600
    Content-Type: application/pkix-crl
    Date: Wed, 17 Apr 2024 04:30:15 GMT
    Last-Modified: Wed, 17 Apr 2024 03:11:30 GMT
    Server: ECAcc (lhd/35E5)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 92537
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.97:443
    Request
    GET /th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1678
    date: Wed, 17 Apr 2024 04:30:16 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.5d3d3e17.1713328216.4c8f38a
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.114.53.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.114.53.23.in-addr.arpa
    IN PTR
    Response
    21.114.53.23.in-addr.arpa
    IN PTR
    a23-53-114-21deploystaticakamaitechnologiescom
  • flag-us
    DNS
    97.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.61.62.23.in-addr.arpa
    IN PTR
    Response
    97.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    65.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    65.139.73.23.in-addr.arpa
    IN PTR
    Response
    65.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-65deploystaticakamaitechnologiescom
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    b.liteflames.com
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    b.liteflames.com
    IN A
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    90.16.208.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.16.208.104.in-addr.arpa
    IN PTR
    Response
  • 192.229.221.95:80
    http://csc3-2010-crl.verisign.com/CSC3-2010.crl
    http
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    2.0kB
     95.8kB
     40
    72

    HTTP Request

    GET http://csc3-2010-crl.verisign.com/CSC3-2010.crl

    HTTP Response

    200
  • 23.62.61.97:443
    https://www.bing.com/th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
     7.0kB
     19
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239368050262_1H4FJCNTCWVEV5UPC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    csc3-2010-crl.verisign.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    72 B
     212 B
     1
    1

    DNS Request

    csc3-2010-crl.verisign.com

    DNS Response

    192.229.221.95

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    74.19.199.152.in-addr.arpa
    dns
    72 B
     143 B
     1
    1

    DNS Request

    74.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    21.114.53.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    21.114.53.23.in-addr.arpa

  • 8.8.8.8:53
    97.61.62.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    97.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    65.139.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    65.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    b.liteflames.com
    dns
    f5096a7fced94ad12eb72672154e8c83_JaffaCakes118.exe
    62 B
     135 B
     1
    1

    DNS Request

    b.liteflames.com

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    90.16.208.104.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    90.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2956-0-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2956-11-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2956-16-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2956-17-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.