Overview

overview

8

Static

static

1

1610a1baa2...18.exe

windows7-x64

8

1610a1baa2...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1610a1baa2327aacdd625ac9cea6f2b8_JaffaCakes118.exe

  • Size

    905KB

  • MD5

    1610a1baa2327aacdd625ac9cea6f2b8

  • SHA1

    dc90be6ba647911f51ac75573bfa06ef8666e4db

  • SHA256

    226d4f9bc4b1acc7b293f8fe4709c1f07ebf75bc66fa4857d68cd26fe1160f5e

  • SHA512

    91c725ee93b98f59f0c1ef131221932c03356f1fcf738581af154bec180327ad6f4223cae5351d8e334833477cfae6665f5bfc1c73eebc42e9b5beae8904aeaf

  • SSDEEP

    12288:TKKkF1X10ZhaJfC5/cnGLeb8fe6Owhky95g1xGkg1aFSkYu8DU0OYhLu0O49g3k:eKOXuhaJfo/da6OwZy1kkui6uKVOZk

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1610a1baa2327aacdd625ac9cea6f2b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1610a1baa2327aacdd625ac9cea6f2b8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      C:\Users\Admin\AppData\Local\Temp\\minidownload.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3092
    • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
      "C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D5M778mNuk-Kn5im16Xqufpm73IcE-aIs4gcvPL07TEJ86hRHz3mToT_ePZtTrYvi7YQ-v76q1eLZ-feXkpKDG8uqxplQrsbk%26pcid%3D562185221852419207%26fr%3Dxiazai%26source%3Dtencent%26filename%3Dediary_v30final.zip&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F161020_48_1387967396.png&softname=%E7%94%B5%E5%AD%90%E6%97%A5%E8%AE%B0%E6%9C%AC&softsize=4.79MB
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe
        "C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe" "dump202405050453"
        3⤵
        • Executes dropped EXE
        PID:3492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
    Filesize

    786KB

    MD5

    3f1eae76cd9e2cd1d6c1fa9b3ad2df9a

    SHA1

    5066a259189ba2181969accd7f71d17f38591de7

    SHA256

    3c987155a155ae4603760f471eaab1bbb130471fb3f47127283da9070ea23a5f

    SHA512

    2d56933e707d622badd819405bb905037557a5a23b647bb9033d67c8719aa8cf9b56f0185bd2efccec857b7f3573689c35732af1f83998a943373cc8ca29f7c1

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe
    Filesize

    111KB

    MD5

    ba7121a86dbffafc97e1b8c11c17e199

    SHA1

    922e584be46621e0ab57d3bb47b7c5dee8230ea8

    SHA256

    0bc616a788f782a37b8fb0134ffabdd8a2988205a125b2f400c3deb43e2a8971

    SHA512

    22641abfa34f8ed5c24375b221b6cae935fadffb4b1cf9f8c452658538dd4af459ec7e6a95d05fb7b3aa0fcb4bd195fa18d6fe787ece282fa5c5a8187da76197

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\config.ini
    Filesize

    116B

    MD5

    ffa1443199298e2c4ff1122f1ae14b05

    SHA1

    96175a64c1f8ba142aa057e8f76e13467ecefb82

    SHA256

    2d21ddb94831d5345bbfbe52ecd342067cf49c6eaf8c78057e1901b6c69c6574

    SHA512

    3955846ed694c43d2d9857168e1c3fee9714ecea70c0af04b1db6d7be5b4805b92730d74bc4a74ed5464c47e4af558b8d040d0efc8ec276fcb8c50c346fe61de

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\css\downloader.css
    Filesize

    7KB

    MD5

    0079cdb145c388c3e4c5e2235ac97bce

    SHA1

    7a8fee29992183dd572c52a1f6ca24219f4d8cba

    SHA256

    f4890eb5df2bb1b2921c0e561388780b4e2871998ca5aa7f4ec8bbf6ea1a715c

    SHA512

    7387d097152a49f8c57db203d89f64f6d2f905b60f69fa90d26ee3ebcab6428865e745fca63600c724c296db85d299502b4133cacd4b7dbcd4653712a82caa46

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\download.html
    Filesize

    7KB

    MD5

    382c18d88309c186f501dc3d31876461

    SHA1

    1c602b521deec4e2826e9280fed7e586351282c4

    SHA256

    67293d69f293e3347dd6eaabf19b84d3bba0fbc00fcc19d79be354da3f105687

    SHA512

    f82ba3616734551eef1239203cc09531280f1c9118edc1f1218c18247c13dc3455e7d783f440a919a1df47922d33ed8526deabd979fe4d12e6cef2a5707c045d

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif
    Filesize

    657B

    MD5

    0e0ac8352cd69f396f271fa32f3ab554

    SHA1

    ed6d306a5033707f45477df3318a53d15b47cf43

    SHA256

    c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c

    SHA512

    5d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\js\actions.js
    Filesize

    8KB

    MD5

    3b4a5f925a08bd18b636880b8d557077

    SHA1

    73ed8c3697681e7999bae4fdcc62867b263182ce

    SHA256

    48b8718ba8de855d6c937b23eb7ccc4f5482e6619de9261324c12a48ae6769dc

    SHA512

    aa5ffd3040a6eb964ed7c70d138e3201989f78551610e22585077fa86bff58740500d6309c339a2dded56481d04f7416ca97b22548fde4661f7da39c9600644b

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\js\jquery-1.11.2.min.js
    Filesize

    93KB

    MD5

    5790ead7ad3ba27397aedfa3d263b867

    SHA1

    8130544c215fe5d1ec081d83461bf4a711e74882

    SHA256

    2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

    SHA512

    781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\js\swfobject.js
    Filesize

    10KB

    MD5

    631f38cfac458788af482eba736e5ac3

    SHA1

    b1d09def39ec74eff2c9e0aafe0a7c12e7650150

    SHA256

    13e6cf03cdd65a8174cce7b0cb40c9821d2aff04a79c3374e8664fb0abb5694d

    SHA512

    3ae47c895cd586b1dca8bdf65c58bc896b27837881cc42bb7b3d55c9a71ea9e857939a69c5146b445b64714996393d1ec9c0d95b18d18fd5cb48f02bb8a53f42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CRASH.DMP
    Filesize

    106KB

    MD5

    149f4b68a7fbfc3e817d2300d0c6e8eb

    SHA1

    f1e9926aac358a9831e1e260cefe031e73011d28

    SHA256

    80410a4be7954a672135126cd60fb28f390d76f6a495d42bfc35ae1e7bb12a7c

    SHA512

    ad09b1eaf201dfc6c076cbc56eb983cee8aa6d1491f6b3f87bd42fc241a269ed3c405132411a0c9eee77398f6366d45f032cfb80c7ac996b03fbe9ba3e5ae8fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ERRORLOG.TXT
    Filesize

    35KB

    MD5

    5b0c2cbb754d8f4bee4e825e1eddac8e

    SHA1

    856213d242e1c57675dbdfa62092410ae4f3c326

    SHA256

    c881ad6e4c5e26ce056d7a8372a591cebe5831222ea6e2c4dd63477dbf8417fc

    SHA512

    4555d53e94071d267afdd13faaadc66daca768f9ae64232ca960befcfbf15247abb0fde333e056a4dd64ff645e5cb096fa1bd509f50734210f3ee4a989624f8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
    Filesize

    496KB

    MD5

    0aaf56d69b9f7976df9199c43d50c46e

    SHA1

    ff5aae9855bcc1dd22cce8b9bb658aece7c700d3

    SHA256

    8ff183757f031c449463b8e02d30157b029cea3e9a05770a4891c24d7cb398b5

    SHA512

    6b5b8d1be7fd78a0eaa2025c53c6760191752c3ec8a2336b1c12bec713f1c0a8b02163c8f47ab3d310033f6bac3c76ba967ff88d82f4787524f1f9f25f63c677

    Download Submit

  • memory/5012-40-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

    Filesize

    4KB

    Download