Overview

overview

8

Static

static

3

fb80a7c65b...18.exe

windows7-x64

8

fb80a7c65b...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 00:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb80a7c65b6bf20d9479ef3f5d112592_JaffaCakes118.exe

  • Size

    548KB

  • MD5

    fb80a7c65b6bf20d9479ef3f5d112592

  • SHA1

    f6119d5d80ef4527ccc3514ee04883789a70336a

  • SHA256

    7914966d04455dab1927ea3d4f117810a5a6113e3fb9ca79c6b1ae7d02ccf434

  • SHA512

    bbb6a2a2cdbfe3a9a92d57b792b0912400c25c7cab10fbd007b82582ca81c4c449d3c20cdda246aeb4fcfee0a554c84a144bddd00dea93fc0b00eb250ec1303f

  • SSDEEP

    12288:L7l4s3shTJBJbI3HfdVQyBc+pQ5KA5QzDP7+FxJvjaVbkbJHURZbK:LGs3qTZbIXVVPe+pE/2D7EvSbkbdwG

Score
8/10
adwarebootkitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 49 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 19 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb80a7c65b6bf20d9479ef3f5d112592_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fb80a7c65b6bf20d9479ef3f5d112592_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
      2⤵
        PID:2740
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
        2⤵
          PID:2640
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
          2⤵
            PID:2636
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
            2⤵
              PID:2588
            • C:\Windows\SysWOW64\regsvr32.exe
              C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
              2⤵
              • Loads dropped DLL
              • Installs/modifies Browser Helper Object
              • Modifies registry class
              PID:2680
            • C:\Windows\SysWOW64\bffd.exe
              C:\Windows\system32\bffd.exe -i
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2960
            • C:\Windows\SysWOW64\bffd.exe
              C:\Windows\system32\bffd.exe -s
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2464
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
              2⤵
              • Loads dropped DLL
              PID:2716
          • C:\Windows\SysWOW64\bffd.exe
            C:\Windows\SysWOW64\bffd.exe
            1⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2356
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
              2⤵
              • Loads dropped DLL
              • Writes to the Master Boot Record (MBR)
              • Drops file in System32 directory
              PID:2532

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
            Filesize

            224KB

            MD5

            e8c37e48e853d777cfe4db3cf548e915

            SHA1

            bcd773541f03eb21874dfa00c03fbf48f8f4f22c

            SHA256

            50f43d5132686ac4bf27ec2db5433557aa8cf45fa4ef56eceb37a1627811ff88

            SHA512

            647af797b58af10bf8c5a35cfcd5126b0ec27d4635852e1393b53df35b2e7188d73331251d1323d05486008672ec4068b462666db300881e05b615b8af717c5b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
            Filesize

            420KB

            MD5

            30cb347361e00ca56e0f7cf9342912d5

            SHA1

            a8932045718b584ae4cff8ede0748ead21c35281

            SHA256

            01c65505197823ac602e6c40721cb9e8b455809791952acd550a9e8b64e23120

            SHA512

            7c8e1aaff60471cab5a43deefffb17d8d1eb7f1fdf9a1fc7f059f8e911d6feaed7448eb7e0bd7f66fb208a1bfda6195e46c3deb6ef7da63580746568f1a908dd

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
            Filesize

            128KB

            MD5

            5b75e3c2e589f0722f33786364dee102

            SHA1

            db999965cd3ead5bfd4ef239ed0d168dcaa58496

            SHA256

            d2e626f17842fa72c8f009198d1256ff81a71237022913fb5ccb2bbda38c2371

            SHA512

            dd9c8b83966c3deed13471df206e8c7923c59ab7b761e9a6b5ffa40d4e9cdfbeab58c715393a85d9c8d4c131d2f8c4a982eb01c4e105bf845a12a5f290ec821d

            Download Submit