Overview

overview

7

Static

static

1

73c6da067f...18.exe

windows7-x64

7

73c6da067f...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...up.dll

windows7-x64

3

$PLUGINSDI...up.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    73c6da067fb3d334aff02a228f118992

  • SHA1

    3ce65baab0d969339b658e3208efd1c4c4201415

  • SHA256

    0d5def3720993c7ff853209226c0becaee1a367ee2d69dae8cf9cb951602b4e6

  • SHA512

    518f6fd0f02423dae19464d3cec6c5dead56278b351ccc4cc48ba7a0e5106d034bc158d13d9877cd0a2e6a9acae83d8465f6dc7605469ff696dddd15081fddf9

  • SSDEEP

    49152:68uup8JQPIFz41BR3bbpePvcdNKEBOZ8VcjbDhYRtWaETOZ8DMul:68uup8JQPC41BR3MsNKEcZ8VOscaY

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73c6da067fb3d334aff02a228f118992_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsr58A0.tmp\System.dll
    Filesize

    19KB

    MD5

    35d7b29c3ed690a8b0cd323917677b42

    SHA1

    ad74d2babe09f94838e408c8f9f77b6b56c644f5

    SHA256

    714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c

    SHA512

    abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsr58A0.tmp\insthelper.dll
    Filesize

    774KB

    MD5

    8bcd300c69b67e78b09cf07aecfa14fb

    SHA1

    d92bdb71d8b8477a3f0838360191aecc459a3c09

    SHA256

    d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d

    SHA512

    393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    2.0MB

    MD5

    73c6da067fb3d334aff02a228f118992

    SHA1

    3ce65baab0d969339b658e3208efd1c4c4201415

    SHA256

    0d5def3720993c7ff853209226c0becaee1a367ee2d69dae8cf9cb951602b4e6

    SHA512

    518f6fd0f02423dae19464d3cec6c5dead56278b351ccc4cc48ba7a0e5106d034bc158d13d9877cd0a2e6a9acae83d8465f6dc7605469ff696dddd15081fddf9

    Download Submit