224aaa33d14e22344ace695ae30f54f6fa866d96995e5c655f2a0baa9ff04703

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe
Size

107KB
MD5

74b544a2dba07ac124285e2ff8a330e5
SHA1

e687f1b15e3b180f44aeaa804a7476b32b765317
SHA256

224aaa33d14e22344ace695ae30f54f6fa866d96995e5c655f2a0baa9ff04703
SHA512

d5442314ed655b0a4ce3891b6559bc7ff37db8d26c5c98778538ab7999cff953c195bb080d9dd4f39356ad624120b1d98a75ff081d4393f8d027f64900fb7dcf
SSDEEP

1536:nDdP8cdnG3eQ8GAaUKtwIxDHB4qWrkkdXpr3GtZO/1tIrre4PV3taDC:nDdkcJGUAB78kk/jN1tIrre4d3Y

Score

7^/10

bootkit persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\userinit.lnk	74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

Processes:

74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

pid process

2012 74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

pid	process
2012	74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	139.99.66.103
Destination IP	139.99.66.103
Destination IP	139.99.66.103
Destination IP	139.99.66.103
Destination IP	139.99.66.103
Destination IP	139.99.66.103
Destination IP	139.99.66.103

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74b544a2dba07ac124285e2ff8a330e5_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\userinit.exe

Filesize
107KB

MD5
74b544a2dba07ac124285e2ff8a330e5

SHA1
e687f1b15e3b180f44aeaa804a7476b32b765317

SHA256
224aaa33d14e22344ace695ae30f54f6fa866d96995e5c655f2a0baa9ff04703

SHA512
d5442314ed655b0a4ce3891b6559bc7ff37db8d26c5c98778538ab7999cff953c195bb080d9dd4f39356ad624120b1d98a75ff081d4393f8d027f64900fb7dcf

Download Submit