Analysis
-
max time kernel
128s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 21:40
Static task
static1
Behavioral task
behavioral1
Sample
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe
-
Size
5.9MB
-
MD5
fb3979eb83af289613f3b9e1d3d9d321
-
SHA1
e37864e9c6999ebffa63a1325ea6b45e7d8d192e
-
SHA256
5a6ffc20b491863e71a8f624114d50d806b1a76f51d1f3d52dc1ade90e403e4e
-
SHA512
9f729954fc827a8dfbe2bdc161bbc4435c77f154479884c0ba97a7f867dd08ad9a989bd8da2d5e83482f048d0f9b5c16beef1d13ec3771fcdc17fa35a33c537c
-
SSDEEP
98304:UGFb27sv/NX3KYYqiONU6hgPnDOM5Wssdv1P3T4pAeQ37bY81IIM39CPoOQxoMvX:7Q72pKYpiXPDhkRRZaIM39GooMaG
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exepid process 4352 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exepid process 4352 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exepid process 4352 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe 4352 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exedescription pid process Token: SeSystemtimePrivilege 4352 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exepid process 4352 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe 4352 fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb3979eb83af289613f3b9e1d3d9d321_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD58b3591965f623b219c0c528153746cab
SHA1020961494fa0e08779b7aacf4422269935354f7d
SHA25697ea3d99cf21123bc1aec72f9ded6a51ac659830392adfefd424eb799ab0219e
SHA5126e547197d160c9ec13cf2384add1bb6753276e3dab97d951adba9257d6bf999720635a7b9d94a5ca8b94bdda2f25f36c5938d126bc3e46a358e1fad072132351