Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 03:11

General

  • Target

    1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    1f40c4422ffff18c554b7313d3a8df60

  • SHA1

    ee5b7c88fea14731be96a3ccc05d4cd655f54ed1

  • SHA256

    30ef369d154a2d3bf33e28940ecfddf8a0194b4f4e7128571b643044556bbb70

  • SHA512

    d0229224f75e01cb8d4599d4a2961fce64188165aeaffc9206ad6f9e3e677e90424971b72f87ea052bdcfc9a9ee515bafea759396d5127d2615a5fa432b1b533

  • SSDEEP

    24576:KYiAos7FQQ03tyjhtueZwGnFCEBEc168tar8vG5Mq8WpdR0y06cQCEW:viAos7FQQRjrugjnF5tre5Mq8WpdRJ0H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
      "C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /ShowDeskTop
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:2028
    • C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
      "C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /autorun /setuprun
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2668
    • C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
      "C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /setupsucc
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      PID:2396

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ѫɫ¹Å±¤.lnk

          Filesize

          864B

          MD5

          775e8d45bd2b9f7c80773281a36b980f

          SHA1

          6b42a8297e8bf25f750d503c8c71c41a2b9c3250

          SHA256

          4f3a2fbc2b20c689bea144d6f9877254446865e7689c23199c4ce56119de42c1

          SHA512

          330545bcb5f6bb568e830e705742083bb38f420f60380394df8e1ced47c736cd4699957761c3c69e0416a11f626409b673b5b8afbd33e44ac4f60dd87f181bec

        • C:\Users\Admin\AppData\Roaming\yj_dtsk\Lander.ini

          Filesize

          454B

          MD5

          04e813edb010a8177e6348ad91ae63ce

          SHA1

          1bd0dac493ca7affc732c042aafad0e2aa207980

          SHA256

          fb32d354a4f95d9326b494b17280f830c989a7fd54c1afd20c25804ae9655020

          SHA512

          9c105c668658b10e054be88429a46c36eb5977b557362b9a6152a27470ad2b04ea313c4f7dc612021ef13284c9e812d3ff1d07b344000d8b9cea00ebfb790a4b

        • C:\Users\Admin\AppData\Roaming\yj_dtsk\Lander.ini

          Filesize

          664B

          MD5

          4ed9614397e098853a4a72806969a8a8

          SHA1

          8accfa48b6af02e9c5403215b8d23300fcca5717

          SHA256

          ef49df72840ea1f48503510664000c0da83a65df63b4b1eed65165d30d5a0f16

          SHA512

          9bfa9dafff77441ff8b1b3a732425b54b7a54d01b4f712c107d325fb8e3a3a4ae259c6874b9a49b61945cff1f46589141906ed8267d01de9990c0de3463ec6d0

        • C:\Users\Admin\AppData\Roaming\yj_dtsk\lander.ini

          Filesize

          391B

          MD5

          79833079e022c9ec09974a780083b68f

          SHA1

          a640dd52a3722a0e4be42c2789245d4a1d251d1c

          SHA256

          e415657883d27b1268f301948188906856a1998ef49b72f215cc474e331dbef3

          SHA512

          8494f2c99631c36e5d9f7e40423b9469e78198076eec6a443c219d30380e84fd298fb45ea03989c630a2297d7c4324c9a861695988740b18908720a8f0bd7bbf

        • C:\Users\Admin\AppData\Roaming\yj_dtsk\lander.ini

          Filesize

          410B

          MD5

          3061881b3fde56a8e3a9d9b3acb85ec9

          SHA1

          646b806ef0384a275a1102673068ed68ce3d1763

          SHA256

          238147067f662483813185c19c33bfd59fd94e548c4914cce9a0cacd07b38f90

          SHA512

          45a784876205c400f47b9561162d01e64f5d66b0170d88c300b3fdcbd2b4e9bc474ffd2cfc306d4a6da84829df6e75177db8da7dc5cf3927bb49688b84a0ee3c

        • \Users\Admin\AppData\Local\Temp\nsd7C91.tmp\FindProcDLL.dll

          Filesize

          3KB

          MD5

          8614c450637267afacad1645e23ba24a

          SHA1

          e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

          SHA256

          0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

          SHA512

          af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

        • \Users\Admin\AppData\Local\Temp\nsd7C91.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • \Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

          Filesize

          1.2MB

          MD5

          ebeb1bb919543b07d57aabb96c331e27

          SHA1

          06c1857f7cbb76ce01b6b1ea9a1bf8fc4538b2c9

          SHA256

          68538e5ab408445b3b73158a40ea6e9b1bada7e874a7c4b3bbf3b48568e9a676

          SHA512

          39d13db5ad0b17e16a9db56b3294cc7c0f66d79ab64d69d796dd005963f6f1a33000b1f306b7a59b2cd3525f9a41b7f192748837498123ad0ee54903c19817b2

        • memory/1612-12-0x00000000003B0000-0x00000000003B3000-memory.dmp

          Filesize

          12KB

        • memory/1612-13-0x00000000003B1000-0x00000000003B2000-memory.dmp

          Filesize

          4KB

        • memory/1612-71-0x00000000003B1000-0x00000000003B2000-memory.dmp

          Filesize

          4KB