3efca506a4c725dd30277b0a35b98e244647b04e7af33d0417ad4f19bf29ba9e

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
Size

1.1MB
MD5

9c8af60e59018ddc5a0d422dab98ea96
SHA1

ae6f943ae0ee714409d0bede3b1939e6b690a295
SHA256

3efca506a4c725dd30277b0a35b98e244647b04e7af33d0417ad4f19bf29ba9e
SHA512

a2d4052429bab699c621a27b4d6537d845c225a17472475108f13e1d5ed4fa3159f84f3d3c5ae81f9a3adf5172e2a6bb8621233b0da3a299a60498b47d17ab77
SSDEEP

24576:UNXEViC54OWZgu88Hu7z/WyvdxV8ehY/HAQSDm269zT3:WeLDWZgu884e/NSDUVT3

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2532	mooncake.exe
3036	mooncake.exe
2352	mooncake.exe

Loads dropped DLL 14 IoCs

pid	Process
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
2532	mooncake.exe
2532	mooncake.exe
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
3036	mooncake.exe
3036	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mooncake.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	mooncake.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe
2352	mooncake.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	mooncake.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3036	mooncake.exe
3036	mooncake.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2532	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2532	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2532	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2532	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2532	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2532	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2532	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	29
PID 1664 wrote to memory of 3036	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	30
PID 1664 wrote to memory of 3036	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	30
PID 1664 wrote to memory of 3036	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	30
PID 1664 wrote to memory of 3036	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	30
PID 1664 wrote to memory of 3036	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	30
PID 1664 wrote to memory of 3036	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	30
PID 1664 wrote to memory of 3036	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	30
PID 1664 wrote to memory of 2352	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	31
PID 1664 wrote to memory of 2352	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	31
PID 1664 wrote to memory of 2352	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	31
PID 1664 wrote to memory of 2352	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	31
PID 1664 wrote to memory of 2352	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	31
PID 1664 wrote to memory of 2352	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	31
PID 1664 wrote to memory of 2352	1664	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe
  "C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe" /ShowDeskTop
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:2532
- C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe
  "C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe" /autorun /setuprun
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe
  "C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe" /setupsucc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ÆßÍò³àÑæ»ê.lnk

Filesize
880B

MD5
5a4476fe7d2b2dc9caf488884d69395b

SHA1
75184ffb5ab04928f25fa3406119ed10b7024755

SHA256
68ce34e4134f1777adb01e74333cc04f199082db7c203ab3eafead10d6fe6853

SHA512
390eaa56ba5ce3216b4c93f7ad1a60e9d87b34585cab3956b47784fc113e05d667ed91db46a6275d4ac39c0814cd521ab3df0fe7bc0bf79fccb47403b925c65e

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\Lander.ini

Filesize
404B

MD5
758c5da1f76538b31188a299572a966e

SHA1
2059a9b9b38c08262d1681120fdbbd72cbaa26f9

SHA256
a97aa0aa22817bf3bb93d33bc8d9b42a68543df7fda5e972c3fbbdd4294a580d

SHA512
d0250ceba4039de96fa368d7dd432ce0490d75be4d598ec252e6746dd52a499cd988d36ea478b40a166b85702fd1dd233adfc090fedbda42a41cad3eb584a11d

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\Lander.ini

Filesize
448B

MD5
aa78cae3ad941be15bb58356d43b3074

SHA1
06b85ad47f0c4f829cc64cb743bf87a38b9a6616

SHA256
c2d5abc29895f1be276ffd97fad01e294be547b0f3db704b85a232aaa028106a

SHA512
c3b630acb1183e45897bf47f0125e68c7147d5ac6a419e7b665e2e0b5ea676f84ec75e235ded47258863b2596ddc65a53bf704d8b2fca78e8fde7137918077e7

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\Lander.ini

Filesize
672B

MD5
4e234ac99ddc1d39924b8ae3896a0259

SHA1
81a27c4b18bf7b3e0132353971276436435396b6

SHA256
8dcb9d1df0e3bb2e0ba5c266471c20352056c483af38d09fb711011f3352df92

SHA512
d15b4cf822722250879f1be0354960b0cb81ad5c52b5d72bf1054d12ba2f38b9a2431095e40953ead22544ea7d0c5432081a1a457feda67793bc1100477c1f19

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\lander.ini

Filesize
385B

MD5
222626a618e156cb87525ea6346a514f

SHA1
aa4bc3451776f7b93504e57f0a6de9e6373fc299

SHA256
612e0ac8e5b13e37f8a141ee140ddaff108510f43ca0012b06146e272eaf5249

SHA512
09c0336807bd41989ae4f9e18f88aaaa010db9ea909bc9111ff4da1bbe5d0b986eb4b0511c2190af61e6858c850601325e8f3489dd3d0fba9c07d39fcee7454f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi2406.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi2406.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Roaming\mooncake\mooncake.exe

Filesize
1.3MB

MD5
9d2f8e9aadec1a95401d5c2032631421

SHA1
b1ec21e48e4409f55e559b9ce70abbb55959112e

SHA256
e907223713c1189ca05e8468d2a54789bb368ab076e3013d0a627728aad018d0

SHA512
351617e6261b466b4b8464c1102d6f41db17c4fede430f615ed84f25e05e66f8b0913396d6e1ec7fe73f7a76e7dc2506973399ff4efa58cb51c1fa1d9b293597

Download Submit
memory/1664-12-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1664-87-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download