Overview

overview

8

Static

static

3

fd8dcad600...18.exe

windows7-x64

7

fd8dcad600...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    160s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd8dcad6006a5c4cf5e4cb1dd0f9ac63_JaffaCakes118.exe

  • Size

    834KB

  • MD5

    fd8dcad6006a5c4cf5e4cb1dd0f9ac63

  • SHA1

    ae039707a732f19a22ebee2ced7a9bfa81562652

  • SHA256

    61697ef43dd7466ae631f86542c02d1512b39d146dc21291e58274f8a22e5a22

  • SHA512

    2e3a3520e68ccbf25199e9182590b7ab1664cc3fda980fb9131f0ef938c294c08d21acfb24635bbd8785a0548569dfc06679ed33d5cdc0aba86956f0562d83b8

  • SSDEEP

    12288:AXoJ3pFAFuIqlJzyi7m1IxXT0vHwkx+CxkpZhEKRO30OVkc1+QFpr8U:Vn2QA1IXwvlxshEKRO3VT7

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd8dcad6006a5c4cf5e4cb1dd0f9ac63_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd8dcad6006a5c4cf5e4cb1dd0f9ac63_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4256
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4172
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1624
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4048
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:4864
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4472
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:3972
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4380
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2636
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:3412
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:732
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:400

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      3
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      2
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\isecurity.exe
        Filesize

        830KB

        MD5

        e84dc78f5fa1deb99fc7d7df4b8508b2

        SHA1

        602c614e44896615e81a5dfd00cc36d67d857417

        SHA256

        b59fdfd791fdcd70bb54870ecc2f48ff92949443e9680676874b454433c4c483

        SHA512

        40731fb6a3c53d7a67ef7b502506e5c224bdc5cf52016d4b07df8e27b911998eab43654892ea3ef0c66c6c1de166fc711decfa7c348cc25dc80d9ef22ac31ff4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\{25D27036-3795-45F4-913F-A41FB7749EA3}.png
        Filesize

        6KB

        MD5

        099ba37f81c044f6b2609537fdb7d872

        SHA1

        470ef859afbce52c017874d77c1695b7b0f9cb87

        SHA256

        8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

        SHA512

        837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

        Download Submit
      • C:\Users\Public\Desktop\Internet Security.lnk
        Filesize

        682B

        MD5

        7c3f250e5b075dacb24e9b39910cb3d8

        SHA1

        2d42bf08df44641868c4c50f18840267755998a7

        SHA256

        291e03be11c33a2495f5d868b39c6791bdb203de29ee9bff0895d1c5a172eb6e

        SHA512

        236a120cf3d0dc2840290d436a250cda0ec043e8154995f7f5b810f7cd58c356db7443f3b80c765c19042ba6e51cf5c568cc092250d70d42d85cf480a484f11f

        Download Submit
      • memory/732-38-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1392-0-0x0000000000400000-0x0000000000507000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1392-1-0x0000000002250000-0x0000000002251000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1392-2-0x0000000000400000-0x0000000000507000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1392-5-0x0000000000400000-0x0000000000507000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4256-28-0x00000000026F0000-0x00000000026F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4256-17-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-24-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-25-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-26-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-27-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-18-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-29-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-30-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-19-0x00000000026F0000-0x00000000026F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4256-33-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-15-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-46-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-47-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-48-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-14-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-55-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-56-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-59-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4256-62-0x0000000000400000-0x0000000000A35000-memory.dmp
        Filesize

        6.2MB

        Download