Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 04:31
Static task
static1
Behavioral task
behavioral1
Sample
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
-
Size
24KB
-
MD5
f98286bc40ea9e86b087eedf721c4e55
-
SHA1
40173bc7e6a3e99d5a6a5b50ee190485342da5f2
-
SHA256
4901eff838d1d395df2bf6bcc91cfa4105631a89f20f0fe21cd279372e8a944f
-
SHA512
a33ded2a73185fd16c8d1c43eb6e2edbb65a6ac5fe2825e7706c8c329106f502d9a0c459ef8220ccfe07c00edb58c973b38c8581c7693afd091d04066064826b
-
SSDEEP
384:+TfFRmSQah/q64UzpFGwNJl5XJoOW3prjBWh3sg1jsMQUVFgDWp6DS0fIoLy1:wPlQaoKPGwt5XbWCtsO+tWoS6lW1
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\beep.sys f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\beep.sys f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
Processes:
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exepid process 1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exepid process 1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe 1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 480 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe Token: SeDebugPrivilege 1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exedescription pid process target process PID 1848 wrote to memory of 436 1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe winlogon.exe PID 1848 wrote to memory of 436 1848 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe winlogon.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\dat879.tmpFilesize
17KB
MD5dabfe41170567c13d078906890a10b09
SHA185feb9885106c14f3dfb43bed15cd36ee6c59180
SHA2568a415d05a9b410cfbb12ba458f01fbbc28c50ecb7f35e7719083e965eaafcd4e
SHA512e56c2be27c5a5b802dca374d834038978db6ecc494c869b483d1639d5a35cec53d9a72fe866704528ca1ac1b5acfe3b9439356ac7fc287bef1564a7703622534
-
memory/436-10-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1848-0-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1848-7-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB
-
memory/1848-13-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB
-
memory/1848-12-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB