844362ce92cfc8adbade9e49b6871ffdf09861c377ae735e16139afa98935c94

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbf39ddaa887886b9ec3e527504d51cf_JaffaCakes118.dll
Size

412KB
MD5

fbf39ddaa887886b9ec3e527504d51cf
SHA1

e7b9679335ecc3c14e558387ca5e5573dbcd5aae
SHA256

844362ce92cfc8adbade9e49b6871ffdf09861c377ae735e16139afa98935c94
SHA512

4d76295050fb6a6d28599f0f3c0e993e474c8952d4bf064de4e09d40c2014eab3aad8f31ce733d3e63c4e5ed1b5d20e71633f6376e6fb558906ff363967f45ef
SSDEEP

12288:YSgfGQBPVQLlTjo6y48GDbPfq9hpTBKJGEtN:YS6QLdo748Yfq9ZKkoN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe
Drops file in System32 directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\5435101116 rundll32.exe
File created C:\Windows\SysWOW64\072c rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\5435101116	rundll32.exe
File created	C:\Windows\SysWOW64\072c	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3068 wrote to memory of 3824	3068	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 3824	3068	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 3824	3068	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf39ddaa887886b9ec3e527504d51cf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf39ddaa887886b9ec3e527504d51cf_JaffaCakes118.dll,#1
2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads