Analysis

  • max time kernel
    142s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 10:28

General

  • Target

    030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe

  • Size

    220KB

  • MD5

    030bc9cb1468ae55feabb813ac345be1

  • SHA1

    5e9537056032599bd9332e805fb512f6b02cd675

  • SHA256

    4ac8001e36cc417c72abf88f52a8f426e60d93f312a27fa64595aa562ab33c08

  • SHA512

    e31166ea94617b7f84cf8ab181dddb408caf26e05998d199e61a66fbe2031017e311a489965d5f21bba96e6b42d1d4a377f7cc1d4fb72c20f9a5286636f5486c

  • SSDEEP

    3072:ulqCTufi6SYrSiF1U2+901z3gO1FAbJDpct56kIqjK:OqG6SPkWhe7Oqt

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 7 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\030bc9cb1468ae55feabb813ac345be1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\puihile.dll
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:712
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32 try6703.dll , InstallMyDll
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3828
    • C:\Windows\SysWOW64\Dofake.exe
      C:\Windows\System32\Dofake.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of SetWindowsHookEx
      PID:680
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\taob.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 375519961O57540.bat
      2⤵
        PID:1128

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Browser Extensions

    1
    T1176

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Modify Registry

    3
    T1112

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat
      Filesize

      2KB

      MD5

      1711750c37a1752a81cec0c6c15fea4d

      SHA1

      6d157d946310d870698d5ba7c9a028a30984b195

      SHA256

      d2a9192b117b01e0d8552d1b002aa887a946f9f5a4de0e03389180b3ede82a9f

      SHA512

      f6a5982f2cd666fb8ca663241cf0d9f0aaae01496106ad0edcfd1ccb99f502db109cd3805f7653dcf4ffadaef265cbede1ea2b26c219d27faae470be1938826b

    • C:\Windows\SysWOW64\Dofake.exe
      Filesize

      60KB

      MD5

      d31138ba5d6047492ee2c6efa6b66f2b

      SHA1

      148dc90c2d5965e579e7a8bf4b873168e58f68a8

      SHA256

      d8d31e06df797c6dbc454676597874fef8d829a9ac1037b93e568444d05f2d75

      SHA512

      ad83e0ee200da8e60678b8bba55e5921b22cbbe349b89e62481b6f549691e3070da3543b3a230a6f8488d16a884ae1a8ec482d27c882ea70cd205f2c455a3de2

    • C:\Windows\SysWOW64\FloodCore.dll
      Filesize

      24KB

      MD5

      b3c403d9f9c3b9d1cc3682ad840e301b

      SHA1

      1b3ad4baa8d8d1c70ed8ed91666ff51e454d5a16

      SHA256

      7eb060a5728b918895e6873343aa82c849e39f35a590768ea39fbff4de873104

      SHA512

      d7ad7d9f0cc3a93f02301bee62deacb0b77535027c9c49cc8b28f6022e389d69d84ac1272ff2b75fe7d13255f17620e8cb3a8e7361d98cb69a231ec427f57332

    • C:\Windows\SysWOW64\Web.ini
      Filesize

      2KB

      MD5

      9d2e75dfd1a854de293c5db496e73fbd

      SHA1

      7fd4f0cb0af9299a89a1d393ff02f58005428664

      SHA256

      f89c0c0afc1961cba594e60b664ea522de90e61459e8e89174a9f757ce64aaf7

      SHA512

      aed37024179b3904d3d34081146657f297386100dd7ce1c78a286b30fc8ce732f0e0017919f2b54c6275ec11ff354fd96324bc2c08297fafc90eae6c6d8c9188

    • C:\Windows\SysWOW64\puihile.dll
      Filesize

      52KB

      MD5

      197f927a78abf8169c80c7fce6ce8011

      SHA1

      b33ab406ce11290f0a639460b5e3a991d253e9d1

      SHA256

      6209037cf3a7e4586ff1c95a9c931c1b4030296ad7fed87b06c764cc0432e18f

      SHA512

      1ab184159b1f5c19f6ff795aef7ed240c7749386070732ec9429174beb9806acbe7fe44f72a25a0791809c85860d1c2e31dc540d03a1d14e4854316785aec694

    • C:\Windows\SysWOW64\taob.dll
      Filesize

      28KB

      MD5

      3ce7360b74013b37de60d1c703744bab

      SHA1

      3b3e2b472940f112656de13ac28e27b5a57773c0

      SHA256

      6c6754568466c10112cb01964677c7cdf2325d02ae72eec6357d5b519bd8fc4f

      SHA512

      a17dc7ae770e6d5569952ae8bba68ab2f5d3657ac54f1bc8418a73efbbe76eb4b026d8c9082a74721eeee12e3feaa59e6cdc62e702fb4b9cf7704e1be420eced

    • C:\Windows\SysWOW64\try6703.dll
      Filesize

      27KB

      MD5

      6b45fea3286b74abf97306c9219e9a7b

      SHA1

      41158256979725cbe96f478253b235b1016e709d

      SHA256

      024024b22031867e5ec72f96a267ec391021794c9c24fa8b14d5b6756aca83a5

      SHA512

      3d0bb50b39c38f12118aed6c2b6699bae42b2a65ea5b8e918b9431494f7b698b20b919c40149d144e2952c433f382f8b706e8d035692b55ef5380cb1125b3377

    • memory/3828-137-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-6-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-135-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-7-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-138-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-139-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-140-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-141-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-142-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/3828-143-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB