c3dfd2b724b845e9afa632960d7d9c1e77d2b18c98dc8cfc176c8a3cd46d7d57

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
Size

4.4MB
MD5

fac9d53be590b02596ff4f6e1ba1e5d2
SHA1

0560dba975f26904783321ac88144ccfbccd5316
SHA256

c3dfd2b724b845e9afa632960d7d9c1e77d2b18c98dc8cfc176c8a3cd46d7d57
SHA512

ef4eb024f047ce57c228f284b9d433d284667711d7dd855ddac2b6c5948e7f6d99ca9b39e994dabc34dcc1730fdc8005e7f7848de61054641a4c8c1cede7d07b
SSDEEP

98304:FhOx/3z85tCuMSL4dBqAgMYQYikxzeR6b/r6w16/6qZV8Nlwbv2X:FhOx/3z82q5hxBufyqSOO

Score

6^/10

bootkit persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

description ioc process

File opened (read-only) \??\F: fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\F:	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

MiniThunderPlatform.exefac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

7za.exeMiniThunderPlatform.exe

pid process

2440 7za.exe
2408 MiniThunderPlatform.exe

pid	process
2440	7za.exe
2408	MiniThunderPlatform.exe

Loads dropped DLL 15 IoCs

Processes:

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exeMiniThunderPlatform.exe

pid	process
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2408	MiniThunderPlatform.exe
2408	MiniThunderPlatform.exe
2408	MiniThunderPlatform.exe
2408	MiniThunderPlatform.exe
2408	MiniThunderPlatform.exe
2408	MiniThunderPlatform.exe
2408	MiniThunderPlatform.exe
2408	MiniThunderPlatform.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

pid process

2304 fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304 fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7za.exe

description	pid	process
Token: SeRestorePrivilege	2440	7za.exe
Token: 35	2440	7za.exe
Token: SeSecurityPrivilege	2440	7za.exe
Token: SeSecurityPrivilege	2440	7za.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

pid	process
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

pid	process
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

pid process

2304 fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
2304 fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe

description	pid	process	target process
PID 2304 wrote to memory of 2440	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	7za.exe
PID 2304 wrote to memory of 2440	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	7za.exe
PID 2304 wrote to memory of 2440	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	7za.exe
PID 2304 wrote to memory of 2440	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	7za.exe
PID 2304 wrote to memory of 2408	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	MiniThunderPlatform.exe
PID 2304 wrote to memory of 2408	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	MiniThunderPlatform.exe
PID 2304 wrote to memory of 2408	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	MiniThunderPlatform.exe
PID 2304 wrote to memory of 2408	2304	fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe	MiniThunderPlatform.exe

C:\Users\Admin\AppData\Local\Temp\fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fac9d53be590b02596ff4f6e1ba1e5d2_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\downloader.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -aoa
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DlMgr.dll
Filesize
181KB

MD5
1341d73573697c6af12d21911f913511

SHA1
d48fedeea2cc8c60c3518af8741c7c9b0bad4f32

SHA256
295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03

SHA512
d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL
Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll
Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll
Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
Filesize
258KB

MD5
a83ef2375ccc10030e64508e1a802ad4

SHA1
58f46307be974f0e2ed2e9115bc1243ba6538e3c

SHA256
e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

SHA512
c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dll
Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\XLBugReport.exe
Filesize
242KB

MD5
67c767470d0893c4a2e46be84c9afcbb

SHA1
00291089b13a93f82ee49a11156521f13ea605cd

SHA256
64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0

SHA512
d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll
Filesize
3.2MB

MD5
3c2b7b3ff7de18fe47a77b712ff00a00

SHA1
6d1768acfdee1efb942ef3c28934e127659125ef

SHA256
4360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06

SHA512
6a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\id.dat
Filesize
44B

MD5
86092aebe0515cc017bc94d41ec484d7

SHA1
faf2ae219e716bb657a9efe7e110a505a669acc9

SHA256
f777dbd890ca94566d95d21d0398bff7c52f2d8c8825218322910d7b913687ce

SHA512
bce95deabef04d2c3ebf85fa8ea9b2a2739bbac89d803316273cfb56dc08b5090d91b20296363b0ccfd427bc7448a717393490f3b11b50420c03c7cf918b0323

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll
Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader.7z
Filesize
1.5MB

MD5
50a4726d12aed1ccea812c928f625cc6

SHA1
7adc625d70adbc685d7363cafcd9781ea7fbbc11

SHA256
f8efe43c4635d278041d4c41f098827ab79189c16df93203a5f13c31d5019527

SHA512
f2140c1cd49b56a170aef22267f2621c8d790b3cd95f4d53c5448bf5b029d6b673bbb3ff4477699a59c2405019e63741d16724a655f0c1284c852a0bd0909e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\xldl.dll
Filesize
242KB

MD5
e914a9df187d217c0a1715eaba4eec2a

SHA1
db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63

SHA256
95934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660

SHA512
996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9EFF.tmp
Filesize
1KB

MD5
3262169c2df654611e840135f263b608

SHA1
1bf617616b84713f57d35698acc21146ab5714e7

SHA256
a11565c647fd230626a41dd13e96b94f14a7dc3745836e120efbeb454213f281

SHA512
adf48352a93a0d43ebd022db2ff1960608bcc03fe1c949f66489f92792d5557467beaf70ded1417b4132449679d81bf0074b9900ba24e1f99828b6557810ceff

Download Submit
C:\Users\Admin\AppData\Roaming\youxi_gjol_downloader\config.ini
Filesize
238B

MD5
91fd6b5856eed72126fc8412a4cd5bab

SHA1
e2d13b020b1cde017aacee0e9c8dd29337de8d35

SHA256
b58bb66fb3490d9d7bab80c485d41db493bd3b0b5f968b79d7b249ce7941bc5c

SHA512
cff4327560694bd060e36b40bee0afd02286b3b9e4fc8949f9b2ed657381bb9599bed3db6118fd6b1494916dfff73673a5e2fd4d6b5b281fae9d64c3fdb58d84

Download Submit
C:\Users\Admin\AppData\Roaming\youxi_gjol_downloader\skin\skin.sk
Filesize
539KB

MD5
02c16754cef237c180a8dc2e1eef934a

SHA1
b97881f8e621952e71d96f5816e623af4a037e55

SHA256
48246af06eb4e33ade0d615e5d91fdd706ec1c67f9f303d27b26bbc844639bc3

SHA512
6e3d24b83cc51eff1246cf59550aeff5ac9c1b4ffd43843995b62b8293946dca5ffc36732aab215d6280f1c034d8c869469983e6751646d4ede10b92f569f466

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe
Filesize
736KB

MD5
ea1ee87d7eb2d36ba9fdcf24263cd528

SHA1
ff22c6ac17187c0af8155000d1937cd6f5a5b34d

SHA256
9706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9

SHA512
2f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc

Download Submit
memory/2304-14-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2304-60-0x00000000044A0000-0x00000000044F4000-memory.dmp

Filesize
336KB

Download
memory/2304-58-0x00000000044A0000-0x00000000044F4000-memory.dmp

Filesize
336KB

Download
memory/2304-120-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2304-121-0x00000000044A0000-0x00000000044F4000-memory.dmp

Filesize
336KB

Download
memory/2408-75-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2408-78-0x00000000023E0000-0x000000000271E000-memory.dmp

Filesize
3.2MB

Download
memory/2408-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2408-123-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download