9cf6625afac4e5153e233350b7b23191a58d7883934766ecd8a1a3530395a134

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
Size

1.2MB
MD5

629d4fffe49f60e36058735ace4e63e1
SHA1

f80afd0e3e1868163985f3c2e39451d1a6f91af7
SHA256

9cf6625afac4e5153e233350b7b23191a58d7883934766ecd8a1a3530395a134
SHA512

dcacb7a8d9a750cde63c4a520c3038410d1dd98bf54b840ed0496d7c2f882e3381321a8a1473585644c6bc2b822248e3df5be7275a9ef0c46a12e4c41da3d416
SSDEEP

24576:X/vXd0GFi/eytAEuJ7qLeboZDvloG68KfPuAhYt2iH/6w2pZPvpf7Qg6aEa:Pfd0GFi/pAEE750ZRd67fLhYtvCR3Xpb

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2748	629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\629d4fffe49f60e36058735ace4e63e1_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e5746fc\QQPCDownload.dll

Filesize
1.1MB

MD5
aa142942435b567595a71eb4eb402579

SHA1
790ed6f6e5016b8873ce1817bcc96024a0e768de

SHA256
73a934147b27437f91517ed9ed7eb20fb54e222a1bf2047f201ac668455c0f1e

SHA512
e8a9d760bfac910500a56aea8e3849bc3e73c3a0065557dc1da2495d785ba58c428a168a97faebfaa638aa3e285e7141f3937156dc1d26caad1792929dba8708

Download Submit