Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 03:54
Static task
static1
Behavioral task
behavioral1
Sample
fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
-
Size
432KB
-
MD5
fbdda05780c0105abdd755fec2900580
-
SHA1
e463f3e0ddfcf8f340905027b596966e973f546a
-
SHA256
2a2810ff068467030f05624230fc590ac4e3ef2c9df76a4fe6d1feedf06f8344
-
SHA512
8440c10fdf797bfb757fd3deed51f48534eb7367d7bf76ac51dd6fc2c7be04292d831bd0d1c084d0abbea3ad75c26b7818e64db3b5d26f28ce5c7e133302eb99
-
SSDEEP
6144:BO+WwBZthD5J+x9dmKcMVqUl6c4jKMNvyX93dFoMrdUZnD698gWNlPTGQQm6agrG:tvZ/5J+Y1IlErvyX93dr+DVNtTird0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SERVER~1.EXEHacker.com.cn.exepid process 3008 SERVER~1.EXE 1972 Hacker.com.cn.exe -
Loads dropped DLL 3 IoCs
Processes:
fbdda05780c0105abdd755fec2900580_JaffaCakes118.exeSERVER~1.EXEpid process 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe 3008 SERVER~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fbdda05780c0105abdd755fec2900580_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
fbdda05780c0105abdd755fec2900580_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
SERVER~1.EXEdescription ioc process File created C:\Windows\Hacker.com.cn.exe SERVER~1.EXE File opened for modification C:\Windows\Hacker.com.cn.exe SERVER~1.EXE File created C:\Windows\uninstal.bat SERVER~1.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SERVER~1.EXEHacker.com.cn.exedescription pid process Token: SeDebugPrivilege 3008 SERVER~1.EXE Token: SeDebugPrivilege 1972 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Hacker.com.cn.exepid process 1972 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
fbdda05780c0105abdd755fec2900580_JaffaCakes118.exeHacker.com.cn.exeSERVER~1.EXEdescription pid process target process PID 1372 wrote to memory of 3008 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe SERVER~1.EXE PID 1372 wrote to memory of 3008 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe SERVER~1.EXE PID 1372 wrote to memory of 3008 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe SERVER~1.EXE PID 1372 wrote to memory of 3008 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe SERVER~1.EXE PID 1372 wrote to memory of 3008 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe SERVER~1.EXE PID 1372 wrote to memory of 3008 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe SERVER~1.EXE PID 1372 wrote to memory of 3008 1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe SERVER~1.EXE PID 1972 wrote to memory of 2704 1972 Hacker.com.cn.exe IEXPLORE.EXE PID 1972 wrote to memory of 2704 1972 Hacker.com.cn.exe IEXPLORE.EXE PID 1972 wrote to memory of 2704 1972 Hacker.com.cn.exe IEXPLORE.EXE PID 1972 wrote to memory of 2704 1972 Hacker.com.cn.exe IEXPLORE.EXE PID 3008 wrote to memory of 2464 3008 SERVER~1.EXE cmd.exe PID 3008 wrote to memory of 2464 3008 SERVER~1.EXE cmd.exe PID 3008 wrote to memory of 2464 3008 SERVER~1.EXE cmd.exe PID 3008 wrote to memory of 2464 3008 SERVER~1.EXE cmd.exe PID 3008 wrote to memory of 2464 3008 SERVER~1.EXE cmd.exe PID 3008 wrote to memory of 2464 3008 SERVER~1.EXE cmd.exe PID 3008 wrote to memory of 2464 3008 SERVER~1.EXE cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat3⤵
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\uninstal.batFilesize
164B
MD5924ea7ae6df752587469376459875c51
SHA1ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1
SHA25646c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09
SHA512ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXEFilesize
272KB
MD597a5843eca20dbb324357b65791cffe5
SHA11b6467c511749ae2256c805644f1bf8abbdd617d
SHA256d325ebc2af7e77e8191b7348a21da434f19904010792d265a9cb3b3a6cb03733
SHA512b788a9a0ee8c9b13f5f0df67d1f83eee3bf45cfd5ff6867abeed6d2f7234857f4c8c0aedad131f6097f76e2e6b66fa6455ff87477379be0e87daea41db0cc7cd
-
memory/1372-27-0x0000000001000000-0x0000000001077000-memory.dmpFilesize
476KB
-
memory/1372-2-0x00000000002B0000-0x00000000002F3000-memory.dmpFilesize
268KB
-
memory/1372-1-0x0000000001000000-0x0000000001077000-memory.dmpFilesize
476KB
-
memory/1372-3-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/1372-13-0x0000000003500000-0x000000000360B000-memory.dmpFilesize
1.0MB
-
memory/1372-14-0x0000000003500000-0x000000000360B000-memory.dmpFilesize
1.0MB
-
memory/1372-40-0x00000000002B0000-0x00000000002F3000-memory.dmpFilesize
268KB
-
memory/1372-39-0x0000000001000000-0x0000000001077000-memory.dmpFilesize
476KB
-
memory/1372-29-0x0000000000260000-0x00000000002D7000-memory.dmpFilesize
476KB
-
memory/1372-0-0x0000000001000000-0x0000000001077000-memory.dmpFilesize
476KB
-
memory/1972-25-0x0000000000400000-0x000000000050B000-memory.dmpFilesize
1.0MB
-
memory/1972-28-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1972-26-0x0000000000400000-0x000000000050B000-memory.dmpFilesize
1.0MB
-
memory/1972-42-0x0000000000400000-0x000000000050B000-memory.dmpFilesize
1.0MB
-
memory/1972-43-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/3008-23-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/3008-19-0x0000000000400000-0x000000000050B000-memory.dmpFilesize
1.0MB
-
memory/3008-20-0x0000000000400000-0x000000000050B000-memory.dmpFilesize
1.0MB
-
memory/3008-38-0x0000000000400000-0x000000000050B000-memory.dmpFilesize
1.0MB
-
memory/3008-18-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/3008-17-0x0000000000400000-0x000000000050B000-memory.dmpFilesize
1.0MB