Overview

overview

9

Static

static

7

fbc208d4a5...18.exe

windows7-x64

9

fbc208d4a5...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbc208d4a525f449c25074b21a1784b6_JaffaCakes118.exe

  • Size

    3.2MB

  • MD5

    fbc208d4a525f449c25074b21a1784b6

  • SHA1

    128dfd563f281370b3f34ac15de96875bf47c148

  • SHA256

    6f8978e9e9dfbabd48136fa088d5d4aec70365714a023f600469a8019dd99c2d

  • SHA512

    ebbc3ba7a4d5297f92ef3452259dde760dce6092dd2183af5a4c8f78a0e1f99334d61bcbb9957914aaa41daac8a0af775300fcb56073fb6eac9ee81cc0286738

  • SSDEEP

    49152:taj0As03hf/c40nIFkR9hv5ZDLg45V9gVfW7dvdryINFQY/kxrJEIpEHmkeY:20URJ0nIFkD/ZZ32AvELukxN/EG

Score
9/10
bootkitdiscoveryevasionpersistenceupx

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbc208d4a525f449c25074b21a1784b6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbc208d4a525f449c25074b21a1784b6_JaffaCakes118.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\del.bat"
      2⤵
        PID:3032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 336
        2⤵
        • Program crash
        PID:2504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\del.bat
      Filesize

      183B

      MD5

      a1d11b4700714f26ea2a338c26be20de

      SHA1

      8ac14d0d3f47389cae1addce95b358f6826ccdad

      SHA256

      267d79b7bdd952ae02541837189d06e41757ab56b26900d3634ccf8bf739ba6f

      SHA512

      6f085c9f06dc236711a2a7e36accda433b61e2ea444581ac6241e1c7ecce0637906279b65bbb9f3481afaab4a667692701e553ec957eaafe30d7e662f67984ca

      Download Submit

    • memory/1904-0-0x0000000013140000-0x0000000013782000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/1904-1-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1904-2-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1904-3-0x0000000013140000-0x0000000013782000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/1904-4-0x0000000000400000-0x0000000000401000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1904-7-0x0000000013140000-0x0000000013782000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/1904-9-0x0000000000400000-0x0000000000401000-memory.dmp

      Filesize

      4KB

      Download