3f1be2fe05d433284b79c35209553c2e26fd590cae24d4f63297b0b059b0c1b2

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 09:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
Size

770KB
MD5

075232b2c7f732b51188290a88bdde55
SHA1

00e2ed3023b07a170f91fb5ddc325fd96e67475e
SHA256

3f1be2fe05d433284b79c35209553c2e26fd590cae24d4f63297b0b059b0c1b2
SHA512

172f3ab6b34b7ea2d9c6253b55cb7e1885a5b46ac92ff1482338dc2223df98b4bb39cd82579b6f0a60a298d3a583bc5cb606f99486586bbf948dbcf21ca8bf70
SSDEEP

24576:oTtH9aiaoflGLCdkC58PsVC1v3j6gDK+TulpAfe:oTtHMotGO690Edj6g++yEfe

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2496	wukong.exe
2900	wukong.exe
848	wukong.exe
760	iconAnimate.exe
2556	iconAnimate.exe
2380	iconTips.exe

Loads dropped DLL 21 IoCs

pid	Process
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
2496	wukong.exe
2496	wukong.exe
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
2900	wukong.exe
2900	wukong.exe
848	wukong.exe
848	wukong.exe
2900	wukong.exe
760	iconAnimate.exe
760	iconAnimate.exe
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
2556	iconAnimate.exe
2556	iconAnimate.exe
2380	iconTips.exe
2380	iconTips.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wukong.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	wukong.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe
848	wukong.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	iconAnimate.exe
Token: SeDebugPrivilege	2556	iconAnimate.exe
Token: SeDebugPrivilege	2380	iconTips.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2496	wukong.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2900	wukong.exe
2900	wukong.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2496	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2496	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2496	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2496	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2496	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2496	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2496	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	29
PID 1948 wrote to memory of 2900	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2900	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2900	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2900	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2900	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2900	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2900	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	30
PID 1948 wrote to memory of 848	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	31
PID 1948 wrote to memory of 848	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	31
PID 1948 wrote to memory of 848	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	31
PID 1948 wrote to memory of 848	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	31
PID 1948 wrote to memory of 848	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	31
PID 1948 wrote to memory of 848	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	31
PID 1948 wrote to memory of 848	1948	075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe	31
PID 2900 wrote to memory of 760	2900	wukong.exe	32
PID 2900 wrote to memory of 760	2900	wukong.exe	32
PID 2900 wrote to memory of 760	2900	wukong.exe	32
PID 2900 wrote to memory of 760	2900	wukong.exe	32
PID 2900 wrote to memory of 760	2900	wukong.exe	32
PID 2900 wrote to memory of 760	2900	wukong.exe	32
PID 2900 wrote to memory of 760	2900	wukong.exe	32
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21
PID 760 wrote to memory of 1172	760	iconAnimate.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\075232b2c7f732b51188290a88bdde55_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Roaming\37\wukong\wukong.exe
    "C:\Users\Admin\AppData\Roaming\37\wukong\wukong.exe" /ShowDeskTop
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:2496
- - C:\Users\Admin\AppData\Roaming\37\wukong\wukong.exe
    "C:\Users\Admin\AppData\Roaming\37\wukong\wukong.exe" /autorun /setuprun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\37\wukong\iconAnimate.exe
      "C:\Users\Admin\AppData\Roaming\37\wukong\iconAnimate.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:760
- - C:\Users\Admin\AppData\Roaming\37\wukong\wukong.exe
    "C:\Users\Admin\AppData\Roaming\37\wukong\wukong.exe" /setupsucc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    PID:848
- - C:\Users\Admin\AppData\Roaming\37\wukong\iconAnimate.exe
    C:\Users\Admin\AppData\Roaming\37\wukong\iconAnimate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Users\Admin\AppData\Roaming\37\wukong\iconTips.exe
    C:\Users\Admin\AppData\Roaming\37\wukong\iconTips.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3106.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\37\wukong\Lander.ini

Filesize
330B

MD5
519abab29358ec4c423d4637d4cf8de8

SHA1
f24d3855d5f53b9521451186c69c18e8d890b975

SHA256
521ba003af78677041a731f24e375f090051861d72725434e121b90d5d3e492a

SHA512
6f703f20d8c339981948a7172f47081980bea806c4804c8878f94d6ed72cb5d5cbc9934ccd96163d774c2421e21ae613e60ff188c3e55b009db5715b7c69970b

Download Submit
C:\Users\Admin\AppData\Roaming\37\wukong\Lander.ini

Filesize
361B

MD5
d1983243fd47153a97407bcee1a59389

SHA1
79b7202aa0cf5d57d61e69cfdf53ede55070abd0

SHA256
757f328f6e40d0d2ded18bd776a34b4a8ba8bb8f99ff82ed3d06a574cf274f5a

SHA512
302fb703a03e4ab8d17aa70d28dee0158fd5524f6856f452c5f6dfa5ef17352374505f9ef87c4f18da82be7ac915f09a39bdb7f3fdae33d19db7e38caa4d088b

Download Submit
C:\Users\Admin\AppData\Roaming\37\wukong\iconAnimate.exe

Filesize
215KB

MD5
1184e1bbe9c54c05f0536ca26b435d8c

SHA1
dbb4e8467b4386a8908f605961680fb4c3860a32

SHA256
200a4f5bfe095ae992e8a4aa231417d330f68aa0dd7bb240f2664c6219373dda

SHA512
4c7011c7f28b780a9dd2edcdc2c7b2516cab4cd76c3d394e26da12d9f2976e98ec0efeb6a0267ec34c199b3104a90a2ed453b7783bde84de0e79eef29ad351f4

Download Submit
C:\Users\Admin\AppData\Roaming\37\wukong\lander.ini

Filesize
349B

MD5
22fef4b4ad5fdadd811ec67e5b8dfaa4

SHA1
3668754e7f02c8a186242c02bcffab8055f58728

SHA256
d47c973caed47db2cf928c19e01c219830847a3590fbbe6ae065ea55d706faf8

SHA512
4fdc913399fbc5b7453e48139826cfb745d03b16ce6c9d3c9b0dc3988a6e42eb94510999c0e6261b6bea66bf5db126fabf91a6b76dc5015b514682774c93ff69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\37´óÄÖÌì¹¬.lnk

Filesize
935B

MD5
99299d02830a07cbfa552d6ddd2bb359

SHA1
622a1a959a1f0c2b2c085f7bb8b6b50bbbccabe4

SHA256
14b893dd59df4eb50e2a30eab5a0570fd1cb9e53a111b5c1567489384d3ea7b9

SHA512
bcfdd90a82498b2f6c03e561b9e9ec09955319e914cb47e6b27fd3fe9fb7f53a59e62170e93feb096ae3eea59be0187e0423de098f57a4682a43c410296a30bb

Download Submit
\Users\Admin\AppData\Roaming\37\wukong\iconTips.exe

Filesize
257KB

MD5
bd2a944d69eeb1b2bb86f825eeb289a4

SHA1
3b04ebd33de312044fff329afc18f68c39ce8606

SHA256
dc948d6b754a7fbc0e7a643939ba152f9ee8691e54661ef06632c79f5c49a4be

SHA512
f1759c3f6efb8a387d30515062036475bfa6b3fefaf0723b1b99dca1ca0a0a859c59e783737479e5572de77ca76fe010d9a7015c09af6b401ca04973e4923226

Download Submit
\Users\Admin\AppData\Roaming\37\wukong\wukong.exe

Filesize
883KB

MD5
bbe5393b53625b705049d22344116378

SHA1
40bd49673d2d86a9debd4137fc98dadb356543fb

SHA256
e52c2ee1ee94485c004c10a6ab8a9100c9fe1d9f23173368f7a00b273ac8c4fa

SHA512
6542effd04ae8d12e0917cc7b5c6f86c20fd99f93453bc891ee5a5fe546f6abb8de8064bcc792d4b6b920e7bc17cfdea796b138b56c2d2ce15507365921bdc7c

Download Submit
memory/1172-105-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-83-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-95-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-100-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-99-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-98-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-97-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-96-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-94-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-93-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-92-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-91-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-90-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-89-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-88-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-87-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-86-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-85-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-84-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-101-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-106-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-74-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-104-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-103-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-102-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-76-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-82-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-81-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-80-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-79-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-75-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-78-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-77-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1172-264-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-263-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-262-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-261-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-260-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-259-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-258-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-257-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-256-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-255-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-254-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-253-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-252-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-251-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-250-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-249-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-248-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-247-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1172-246-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download