4901eff838d1d395df2bf6bcc91cfa4105631a89f20f0fe21cd279372e8a944f

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Size

24KB
MD5

f98286bc40ea9e86b087eedf721c4e55
SHA1

40173bc7e6a3e99d5a6a5b50ee190485342da5f2
SHA256

4901eff838d1d395df2bf6bcc91cfa4105631a89f20f0fe21cd279372e8a944f
SHA512

a33ded2a73185fd16c8d1c43eb6e2edbb65a6ac5fe2825e7706c8c329106f502d9a0c459ef8220ccfe07c00edb58c973b38c8581c7693afd091d04066064826b
SSDEEP

384:+TfFRmSQah/q64UzpFGwNJl5XJoOW3prjBWh3sg1jsMQUVFgDWp6DS0fIoLy1:wPlQaoKPGwt5XbWCtsO+tWoS6lW1

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\beep.sys	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

pid process

1852 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

pid	process
1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

680

pid	process
680

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
Token: SeDebugPrivilege	1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe

description	pid	process	target process
PID 1852 wrote to memory of 632	1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe	winlogon.exe
PID 1852 wrote to memory of 632	1852	f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe	winlogon.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f98286bc40ea9e86b087eedf721c4e55_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dat59F7.tmp

Filesize
17KB

MD5
dabfe41170567c13d078906890a10b09

SHA1
85feb9885106c14f3dfb43bed15cd36ee6c59180

SHA256
8a415d05a9b410cfbb12ba458f01fbbc28c50ecb7f35e7719083e965eaafcd4e

SHA512
e56c2be27c5a5b802dca374d834038978db6ecc494c869b483d1639d5a35cec53d9a72fe866704528ca1ac1b5acfe3b9439356ac7fc287bef1564a7703622534

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat5A17.tmp

Filesize
13KB

MD5
eb28cc172310a7a7568b7ae9a3ffb611

SHA1
a5444825a62545d9a375301900bd12fa345634c1

SHA256
4945e4045f44e22a3231429644a1c1c9033407613daa5a1f66f6c1faf6a0b205

SHA512
1db05418156bb191015b92d1032c2861e1ff45325b2880fe5c26e8bf4545a515b90a6d7d8046dff3164570f8ce489a2c057f8122acf2c4f239f5d5adb9db6791

Download Submit
memory/1852-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1852-5-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1852-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1852-13-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download