4901eff838d1d395df2bf6bcc91cfa4105631a89f20f0fe21cd279372e8a944f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Size

24KB
MD5

f98286bc40ea9e86b087eedf721c4e55
SHA1

40173bc7e6a3e99d5a6a5b50ee190485342da5f2
SHA256

4901eff838d1d395df2bf6bcc91cfa4105631a89f20f0fe21cd279372e8a944f
SHA512

a33ded2a73185fd16c8d1c43eb6e2edbb65a6ac5fe2825e7706c8c329106f502d9a0c459ef8220ccfe07c00edb58c973b38c8581c7693afd091d04066064826b
SSDEEP

384:+TfFRmSQah/q64UzpFGwNJl5XJoOW3prjBWh3sg1jsMQUVFgDWp6DS0fIoLy1:wPlQaoKPGwt5XbWCtsO+tWoS6lW1

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\beep.sys	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

pid process

1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

pid process

1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

480

pid	process
1848	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

pid	process
1848	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
1848	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

pid	process
480

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1848	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Token: SeDebugPrivilege	1848	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	pid	process	target process
PID 1848 wrote to memory of 436	1848	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe	winlogon.exe
PID 1848 wrote to memory of 436	1848	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe	winlogon.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\dat879.tmp
Filesize
17KB

MD5
dabfe41170567c13d078906890a10b09

SHA1
85feb9885106c14f3dfb43bed15cd36ee6c59180

SHA256
8a415d05a9b410cfbb12ba458f01fbbc28c50ecb7f35e7719083e965eaafcd4e

SHA512
e56c2be27c5a5b802dca374d834038978db6ecc494c869b483d1639d5a35cec53d9a72fe866704528ca1ac1b5acfe3b9439356ac7fc287bef1564a7703622534

Download Submit
memory/436-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1848-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1848-7-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1848-13-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1848-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads