Overview

overview

8

Static

static

3

f903862cb7...18.exe

windows7-x64

7

f903862cb7...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f903862cb794063803f3eb7de14092ea_JaffaCakes118.exe

  • Size

    809KB

  • MD5

    f903862cb794063803f3eb7de14092ea

  • SHA1

    6cd24b399139922035baaef70bbfa346234310c0

  • SHA256

    bee6f4de2ad7f87f9120fbf22d2ada4553e2c421749a7ad3d68593883a0f205d

  • SHA512

    05bc9e52a3f77412bc60700e48b13be05f6a1386cf86b7ffa8bed64668251102ed08fb54959dc21e6b4532cf914bb7720283d95887e1e399df6082f62d9cafbd

  • SSDEEP

    12288:xkY3E01LCj/Eq3C//o8ddQteFzi5vrGc9RUTJbFSUuUcOMphMnuxRno7ZigCTgxx:jEOGCldQpVV9RsTM7MnWo7Uhb

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f903862cb794063803f3eb7de14092ea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f903862cb794063803f3eb7de14092ea_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\ProgramData\privacy.exe
      C:\ProgramData\privacy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:780
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3656
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2824
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4620
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3096
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:644
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:1036
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:2584
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4220
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:2084
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SendNotifyMessage
          PID:2720
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:5004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\privacy.exe
        Filesize

        797KB

        MD5

        f81800f7c317279ec8d7f3ab776260fc

        SHA1

        2c64dc1b0b6e33ead1097436fc81b5e7d38332d8

        SHA256

        8d38b76aad7933be2928bd792c4da6e8acdad4bbb189dfbc2872ea0f8a2e6f56

        SHA512

        8c6d134a1ec96652b0b8549ea5ffdf49e2e7ec55683cca85baa0cc2d99d1f65b1de70587bb4457a2e2d0b09c2b586c2a8741079ee5c78c643abd4b9962e2b51e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
        Filesize

        471B

        MD5

        d63a2a95366f6900714d3db682aecdbc

        SHA1

        400d8eaa62183347d5c759430a05e2afa4be696a

        SHA256

        6b667026832c7dc2147f83528a0a418cf3f6aa0fb9928710a4d20b35a2309cc7

        SHA512

        59efb7f3809a3ad08fb3fb36de5a9312470a2af8046be47a01880f848672261ae4cc14b86267b9bfca5ead89c1f2786242e60f66ad726e839653b2411eba9479

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
        Filesize

        412B

        MD5

        bef06ad9ca98ab4b6f66ea1bf4967608

        SHA1

        0be9b293b779b4b52e52138214c7c6ba18c681c9

        SHA256

        b8016392618e3ccc4e321dd5c3619eff085903be24146c910df9f29a25597ce9

        SHA512

        bf283b91c3c508b53dc4f1987e421a8890c9671a8fdad4b279c8a6c0c49ffc9eba89100eeca4e2ed3a4da77d745c0d0a982d7d54e547af83175a5098b51eb844

        Download Submit

      • C:\Users\Admin\AppData\Local\IconCache.db
        Filesize

        14KB

        MD5

        9ce643439ece6e41d276509917f80e87

        SHA1

        2feb46b213dd315894d1754d7f629f0f04ae241a

        SHA256

        27857775f5c050940eff18c91197992910994f6e4c630cc04b144148841ecd51

        SHA512

        1ef5ddfc046a46a7b87357c25122fb826c1c7c4db46c8b142f825d26d4544db0d6b95d8509fd3a4e91a040d772c3021dca9cf6945eddd59fe120111d2f231235

        Download Submit

      • C:\Users\Admin\AppData\Local\IconCache.db
        Filesize

        16KB

        MD5

        c09b9d451d6443905c4ec7a06899758d

        SHA1

        08a4184ea856c0916ea5d57144dc47d200a3a843

        SHA256

        5b9e472de66a6a379c5a979ab722d6783c02c99f604bb1c1b4dcd6edf22d2c03

        SHA512

        7195289713c564302fbb639b103fec951b5d2f105f19f3b4d386209ac34c8303d31576ef0ff958e1fcccb86e6febaaad7c3a825b16ea851152ddd0a58047de77

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
        Filesize

        1022B

        MD5

        bcfd70edfc0927fe991e65046029cab3

        SHA1

        8bec2f181e8c70538fb1e12ff20a23dd15dfc97b

        SHA256

        8e57f95fafa9c7657dee68351feda953c624590aeaeaabd0efd510e89ff1f633

        SHA512

        adc93324a9d1cf57b17ae233425c625ce6852b8af5a122a959fa4c518d11eeb359e97a154a32c3e059c12e4d28d04d6925dfeb4c3249413a2d880076a9415e5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{0104CB77-82CF-4E7E-8280-4EF619BC4A4B}.png
        Filesize

        6KB

        MD5

        099ba37f81c044f6b2609537fdb7d872

        SHA1

        470ef859afbce52c017874d77c1695b7b0f9cb87

        SHA256

        8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

        SHA512

        837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

        Download Submit

      • C:\Users\Public\Desktop\Privacy Protection.lnk
        Filesize

        672B

        MD5

        889671177effed25be88cb27d3dc98f6

        SHA1

        4cb487341dc50f2b9bc25b5cb6f6caad4e28e6db

        SHA256

        d476bf4cc5255c5dc051c44c786f1ced46a476145d9bb230cac048db4dfeaa9f

        SHA512

        f27f731e4ac05992e170a5396e5cc2a5b8efc2d716b0787009fe30b4a6423d916a2a722abda63cc7606ddc97b3a861d5047e8c61128c6813f07db2f24211eea1

        Download Submit

      • memory/780-75-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-63-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-17-0x00000000027B0000-0x00000000027B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/780-16-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-15-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-13-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-89-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-45-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-88-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-87-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-55-0x0000000002AA0000-0x0000000002AA9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/780-56-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-86-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-83-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-64-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-65-0x00000000027B0000-0x00000000027B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/780-66-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-73-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-74-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-82-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-80-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/780-81-0x0000000000400000-0x0000000000B11000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/3916-0-0x00000000023E0000-0x00000000023E9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3916-1-0x0000000000400000-0x00000000005DE000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/3916-6-0x0000000000400000-0x00000000005DE000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4220-43-0x00000000041C0000-0x00000000041C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4620-32-0x0000000002A10000-0x0000000002A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5004-53-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

        Filesize

        4KB

        Download