Overview

overview

8

Static

static

1

1610a1baa2...18.exe

windows7-x64

8

1610a1baa2...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 04:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1610a1baa2327aacdd625ac9cea6f2b8_JaffaCakes118.exe

  • Size

    905KB

  • MD5

    1610a1baa2327aacdd625ac9cea6f2b8

  • SHA1

    dc90be6ba647911f51ac75573bfa06ef8666e4db

  • SHA256

    226d4f9bc4b1acc7b293f8fe4709c1f07ebf75bc66fa4857d68cd26fe1160f5e

  • SHA512

    91c725ee93b98f59f0c1ef131221932c03356f1fcf738581af154bec180327ad6f4223cae5351d8e334833477cfae6665f5bfc1c73eebc42e9b5beae8904aeaf

  • SSDEEP

    12288:TKKkF1X10ZhaJfC5/cnGLeb8fe6Owhky95g1xGkg1aFSkYu8DU0OYhLu0O49g3k:eKOXuhaJfo/da6OwZy1kkui6uKVOZk

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1610a1baa2327aacdd625ac9cea6f2b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1610a1baa2327aacdd625ac9cea6f2b8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      C:\Users\Admin\AppData\Local\Temp\\minidownload.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3092
    • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
      "C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D5M778mNuk-Kn5im16Xqufpm73IcE-aIs4gcvPL07TEJ86hRHz3mToT_ePZtTrYvi7YQ-v76q1eLZ-feXkpKDG8uqxplQrsbk%26pcid%3D562185221852419207%26fr%3Dxiazai%26source%3Dtencent%26filename%3Dediary_v30final.zip&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F161020_48_1387967396.png&softname=%E7%94%B5%E5%AD%90%E6%97%A5%E8%AE%B0%E6%9C%AC&softsize=4.79MB
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe
        "C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe" "dump202405050453"
        3⤵
        • Executes dropped EXE
        PID:3492

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
          Filesize

          786KB

          MD5

          3f1eae76cd9e2cd1d6c1fa9b3ad2df9a

          SHA1

          5066a259189ba2181969accd7f71d17f38591de7

          SHA256

          3c987155a155ae4603760f471eaab1bbb130471fb3f47127283da9070ea23a5f

          SHA512

          2d56933e707d622badd819405bb905037557a5a23b647bb9033d67c8719aa8cf9b56f0185bd2efccec857b7f3573689c35732af1f83998a943373cc8ca29f7c1

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe
          Filesize

          111KB

          MD5

          ba7121a86dbffafc97e1b8c11c17e199

          SHA1

          922e584be46621e0ab57d3bb47b7c5dee8230ea8

          SHA256

          0bc616a788f782a37b8fb0134ffabdd8a2988205a125b2f400c3deb43e2a8971

          SHA512

          22641abfa34f8ed5c24375b221b6cae935fadffb4b1cf9f8c452658538dd4af459ec7e6a95d05fb7b3aa0fcb4bd195fa18d6fe787ece282fa5c5a8187da76197

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\html\config.ini
          Filesize

          116B

          MD5

          ffa1443199298e2c4ff1122f1ae14b05

          SHA1

          96175a64c1f8ba142aa057e8f76e13467ecefb82

          SHA256

          2d21ddb94831d5345bbfbe52ecd342067cf49c6eaf8c78057e1901b6c69c6574

          SHA512

          3955846ed694c43d2d9857168e1c3fee9714ecea70c0af04b1db6d7be5b4805b92730d74bc4a74ed5464c47e4af558b8d040d0efc8ec276fcb8c50c346fe61de

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\html\css\downloader.css
          Filesize

          7KB

          MD5

          0079cdb145c388c3e4c5e2235ac97bce

          SHA1

          7a8fee29992183dd572c52a1f6ca24219f4d8cba

          SHA256

          f4890eb5df2bb1b2921c0e561388780b4e2871998ca5aa7f4ec8bbf6ea1a715c

          SHA512

          7387d097152a49f8c57db203d89f64f6d2f905b60f69fa90d26ee3ebcab6428865e745fca63600c724c296db85d299502b4133cacd4b7dbcd4653712a82caa46

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\html\download.html
          Filesize

          7KB

          MD5

          382c18d88309c186f501dc3d31876461

          SHA1

          1c602b521deec4e2826e9280fed7e586351282c4

          SHA256

          67293d69f293e3347dd6eaabf19b84d3bba0fbc00fcc19d79be354da3f105687

          SHA512

          f82ba3616734551eef1239203cc09531280f1c9118edc1f1218c18247c13dc3455e7d783f440a919a1df47922d33ed8526deabd979fe4d12e6cef2a5707c045d

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif
          Filesize

          657B

          MD5

          0e0ac8352cd69f396f271fa32f3ab554

          SHA1

          ed6d306a5033707f45477df3318a53d15b47cf43

          SHA256

          c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c

          SHA512

          5d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\html\js\actions.js
          Filesize

          8KB

          MD5

          3b4a5f925a08bd18b636880b8d557077

          SHA1

          73ed8c3697681e7999bae4fdcc62867b263182ce

          SHA256

          48b8718ba8de855d6c937b23eb7ccc4f5482e6619de9261324c12a48ae6769dc

          SHA512

          aa5ffd3040a6eb964ed7c70d138e3201989f78551610e22585077fa86bff58740500d6309c339a2dded56481d04f7416ca97b22548fde4661f7da39c9600644b

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\html\js\jquery-1.11.2.min.js
          Filesize

          93KB

          MD5

          5790ead7ad3ba27397aedfa3d263b867

          SHA1

          8130544c215fe5d1ec081d83461bf4a711e74882

          SHA256

          2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

          SHA512

          781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

          Download Submit

        • C:\Program Files (x86)\SogouDownLoad\html\js\swfobject.js
          Filesize

          10KB

          MD5

          631f38cfac458788af482eba736e5ac3

          SHA1

          b1d09def39ec74eff2c9e0aafe0a7c12e7650150

          SHA256

          13e6cf03cdd65a8174cce7b0cb40c9821d2aff04a79c3374e8664fb0abb5694d

          SHA512

          3ae47c895cd586b1dca8bdf65c58bc896b27837881cc42bb7b3d55c9a71ea9e857939a69c5146b445b64714996393d1ec9c0d95b18d18fd5cb48f02bb8a53f42

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CRASH.DMP
          Filesize

          106KB

          MD5

          149f4b68a7fbfc3e817d2300d0c6e8eb

          SHA1

          f1e9926aac358a9831e1e260cefe031e73011d28

          SHA256

          80410a4be7954a672135126cd60fb28f390d76f6a495d42bfc35ae1e7bb12a7c

          SHA512

          ad09b1eaf201dfc6c076cbc56eb983cee8aa6d1491f6b3f87bd42fc241a269ed3c405132411a0c9eee77398f6366d45f032cfb80c7ac996b03fbe9ba3e5ae8fa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ERRORLOG.TXT
          Filesize

          35KB

          MD5

          5b0c2cbb754d8f4bee4e825e1eddac8e

          SHA1

          856213d242e1c57675dbdfa62092410ae4f3c326

          SHA256

          c881ad6e4c5e26ce056d7a8372a591cebe5831222ea6e2c4dd63477dbf8417fc

          SHA512

          4555d53e94071d267afdd13faaadc66daca768f9ae64232ca960befcfbf15247abb0fde333e056a4dd64ff645e5cb096fa1bd509f50734210f3ee4a989624f8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
          Filesize

          496KB

          MD5

          0aaf56d69b9f7976df9199c43d50c46e

          SHA1

          ff5aae9855bcc1dd22cce8b9bb658aece7c700d3

          SHA256

          8ff183757f031c449463b8e02d30157b029cea3e9a05770a4891c24d7cb398b5

          SHA512

          6b5b8d1be7fd78a0eaa2025c53c6760191752c3ec8a2336b1c12bec713f1c0a8b02163c8f47ab3d310033f6bac3c76ba967ff88d82f4787524f1f9f25f63c677

          Download Submit

        • memory/5012-40-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

          Filesize

          4KB

          Download