Overview
overview
7Static
static
173c6da067f...18.exe
windows7-x64
773c6da067f...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...up.dll
windows7-x64
3$PLUGINSDI...up.dll
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 00:37
Static task
static1
Behavioral task
behavioral1
Sample
73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/insthelper.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/insthelper.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/reportsetup.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/reportsetup.dll
Resource
win10v2004-20240508-en
General
-
Target
73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
73c6da067fb3d334aff02a228f118992
-
SHA1
3ce65baab0d969339b658e3208efd1c4c4201415
-
SHA256
0d5def3720993c7ff853209226c0becaee1a367ee2d69dae8cf9cb951602b4e6
-
SHA512
518f6fd0f02423dae19464d3cec6c5dead56278b351ccc4cc48ba7a0e5106d034bc158d13d9877cd0a2e6a9acae83d8465f6dc7605469ff696dddd15081fddf9
-
SSDEEP
49152:68uup8JQPIFz41BR3bbpePvcdNKEBOZ8VcjbDhYRtWaETOZ8DMul:68uup8JQPC41BR3MsNKEcZ8VOscaY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Au_.exepid process 1792 Au_.exe -
Loads dropped DLL 3 IoCs
Processes:
73c6da067fb3d334aff02a228f118992_JaffaCakes118.exeAu_.exepid process 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe 1792 Au_.exe 1792 Au_.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Au_.exedescription ioc process File opened for modification \??\PhysicalDrive0 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Au_.exepid process 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe 1792 Au_.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Au_.exepid process 1792 Au_.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
73c6da067fb3d334aff02a228f118992_JaffaCakes118.exedescription pid process target process PID 1948 wrote to memory of 1792 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe Au_.exe PID 1948 wrote to memory of 1792 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe Au_.exe PID 1948 wrote to memory of 1792 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe Au_.exe PID 1948 wrote to memory of 1792 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe Au_.exe PID 1948 wrote to memory of 1792 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe Au_.exe PID 1948 wrote to memory of 1792 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe Au_.exe PID 1948 wrote to memory of 1792 1948 73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe Au_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nso2A3D.tmp\insthelper.dllFilesize
774KB
MD58bcd300c69b67e78b09cf07aecfa14fb
SHA1d92bdb71d8b8477a3f0838360191aecc459a3c09
SHA256d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d
SHA512393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4
-
\Users\Admin\AppData\Local\Temp\nso2A3D.tmp\System.dllFilesize
19KB
MD535d7b29c3ed690a8b0cd323917677b42
SHA1ad74d2babe09f94838e408c8f9f77b6b56c644f5
SHA256714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c
SHA512abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d
-
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exeFilesize
2.0MB
MD573c6da067fb3d334aff02a228f118992
SHA13ce65baab0d969339b658e3208efd1c4c4201415
SHA2560d5def3720993c7ff853209226c0becaee1a367ee2d69dae8cf9cb951602b4e6
SHA512518f6fd0f02423dae19464d3cec6c5dead56278b351ccc4cc48ba7a0e5106d034bc158d13d9877cd0a2e6a9acae83d8465f6dc7605469ff696dddd15081fddf9