b73886216facb5f15eb4f36d88e4facaf682811be3eb8ee59b80142c56725595

Analysis

max time kernel
119s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f979be2834bf3dbb5ae4a21033552adf_JaffaCakes118.dll
Size

180KB
MD5

f979be2834bf3dbb5ae4a21033552adf
SHA1

1e4ecc3a14efd4b1a73acd5400b93134a43e9ec5
SHA256

b73886216facb5f15eb4f36d88e4facaf682811be3eb8ee59b80142c56725595
SHA512

1ebd15c35bde36fb8bad72e71d24e7fe03f1b7dd78207607d75b7d72f81bbb09b2addc1cfb7a84073c26a47117cb89dcb63119f2e3dd01fe6ba332188c3de36d
SSDEEP

3072:GXrbHhrNMU8aKsmVzo9q0uNK6bbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVUE:G705MNKdwvP6bQ7yMP+DE827zyCC

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

regsvr32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 regsvr32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	regsvr32.exe

Modifies registry class 17 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\ = "loader 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D103EBF9-6DD5-4715-863A-00AA27C7935A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f979be2834bf3dbb5ae4a21033552adf_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D103EBF9-6DD5-4715-863A-00AA27C7935A}\ = "loader"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\loader.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\loader.DLL\AppID = "{D103EBF9-6DD5-4715-863A-00AA27C7935A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\FLAGS\ = "0"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2488 wrote to memory of 2168	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 2168	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 2168	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 2168	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 2168	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 2168	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 2168	2488	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f979be2834bf3dbb5ae4a21033552adf_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\f979be2834bf3dbb5ae4a21033552adf_JaffaCakes118.dll
2⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-0-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/2168-1-0x0000000001CE0000-0x0000000001CE3000-memory.dmp

Filesize
12KB

Download
memory/2168-2-0x0000000001D00000-0x0000000001D30000-memory.dmp

Filesize
192KB

Download