Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe
-
Size
7.0MB
-
MD5
65782a89407957a1b75f289b2686eeca
-
SHA1
450cff946ada1c2faecff2022e2bf8d252ce256e
-
SHA256
aaedaa050d4c36bbde17f64881abf8e1d262c8d7ec4ac1a242cfef4c0d6ffcbc
-
SHA512
c9ccea0d441bbbf643bee0a6dc61fe4946e1b0989d43c3461ec0d001fcf38030dd115ffe25a4b030bd7b73d2e011264c2f058a1bceecb3dcaf72c0dadbdf6cf6
-
SSDEEP
196608:3tyoNtGUevnh36ujLM28KUhvYBPEVY0LSX6QXb:3tZVeTLJQYRP6QL
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
65782a89407957a1b75f289b2686eeca_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1956 taskkill.exe 2024 taskkill.exe 2540 taskkill.exe 2812 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
65782a89407957a1b75f289b2686eeca_JaffaCakes118.exepid process 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 2812 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 2540 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
65782a89407957a1b75f289b2686eeca_JaffaCakes118.exedescription pid process target process PID 2992 wrote to memory of 2812 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2812 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2812 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2812 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 1956 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 1956 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 1956 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 1956 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2024 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2024 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2024 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2024 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2540 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2540 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2540 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe PID 2992 wrote to memory of 2540 2992 65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65782a89407957a1b75f289b2686eeca_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im KuaiZip.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Update.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im KZReport.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im UpdateChecker.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken