3efca506a4c725dd30277b0a35b98e244647b04e7af33d0417ad4f19bf29ba9e

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
Size

1.1MB
MD5

9c8af60e59018ddc5a0d422dab98ea96
SHA1

ae6f943ae0ee714409d0bede3b1939e6b690a295
SHA256

3efca506a4c725dd30277b0a35b98e244647b04e7af33d0417ad4f19bf29ba9e
SHA512

a2d4052429bab699c621a27b4d6537d845c225a17472475108f13e1d5ed4fa3159f84f3d3c5ae81f9a3adf5172e2a6bb8621233b0da3a299a60498b47d17ab77
SSDEEP

24576:UNXEViC54OWZgu88Hu7z/WyvdxV8ehY/HAQSDm269zT3:WeLDWZgu884e/NSDUVT3

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
2220	mooncake.exe
6104	mooncake.exe
4844	mooncake.exe
4656	mooncake.exe

Loads dropped DLL 3 IoCs

pid	Process
1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mooncake.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe
4656	mooncake.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
6104	mooncake.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2220	mooncake.exe
2220	mooncake.exe
4844	mooncake.exe
4844	mooncake.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2220	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	82
PID 1620 wrote to memory of 2220	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	82
PID 1620 wrote to memory of 2220	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	82
PID 1620 wrote to memory of 6104	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	83
PID 1620 wrote to memory of 6104	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	83
PID 1620 wrote to memory of 6104	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	83
PID 1620 wrote to memory of 4844	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	85
PID 1620 wrote to memory of 4844	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	85
PID 1620 wrote to memory of 4844	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	85
PID 1620 wrote to memory of 4656	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	86
PID 1620 wrote to memory of 4656	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	86
PID 1620 wrote to memory of 4656	1620	9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c8af60e59018ddc5a0d422dab98ea96_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe
  "C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe" SW_SHOWNORMAL
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe
  "C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe" /ShowDeskTop
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:6104
- C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe
  "C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe" /autorun /setuprun
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4844
- C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe
  "C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe" /setupsucc
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi3644.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi3644.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\Lander.ini

Filesize
416B

MD5
267b643379786231e216e0b4539af4af

SHA1
b785a7befbe79b9cba1bfcd2164ba1580b0b4a90

SHA256
376b948d1b3a9d6a6f7da2c870439833522a6dce44e12574f9e4fa5b64bcb85f

SHA512
d8a61ff68f4d86b46deae429626c65b37956ec9ad2e4bb5d631cd27ec50037e7f2fcda3c421a16e391f44e68c5c7dea0f6e461639a25b9e26aab24083838c670

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\Lander.ini

Filesize
448B

MD5
5d5a3e01aaf9ee983c35fbf3e9c7764b

SHA1
ed5f3bddd338e3fdfa690f635dcbce6595952bdb

SHA256
1f93b1ce37d02141cb77866af0d0c34ceff8c3b6231c2711afa2852989a37d58

SHA512
5579328767abce7521e64bb37255ad629b7a59b2c2dce18e2b1b17a1758bed903e1490e1343adfa721d088fadc85e9473d2054744295c83b7c8fff1608fdd9da

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\lander.ini

Filesize
385B

MD5
222626a618e156cb87525ea6346a514f

SHA1
aa4bc3451776f7b93504e57f0a6de9e6373fc299

SHA256
612e0ac8e5b13e37f8a141ee140ddaff108510f43ca0012b06146e272eaf5249

SHA512
09c0336807bd41989ae4f9e18f88aaaa010db9ea909bc9111ff4da1bbe5d0b986eb4b0511c2190af61e6858c850601325e8f3489dd3d0fba9c07d39fcee7454f

Download Submit
C:\Users\Admin\AppData\Roaming\mooncake\mooncake.exe

Filesize
1.3MB

MD5
9d2f8e9aadec1a95401d5c2032631421

SHA1
b1ec21e48e4409f55e559b9ce70abbb55959112e

SHA256
e907223713c1189ca05e8468d2a54789bb368ab076e3013d0a627728aad018d0

SHA512
351617e6261b466b4b8464c1102d6f41db17c4fede430f615ed84f25e05e66f8b0913396d6e1ec7fe73f7a76e7dc2506973399ff4efa58cb51c1fa1d9b293597

Download Submit
memory/1620-11-0x0000000002260000-0x0000000002263000-memory.dmp

Filesize
12KB

Download
memory/1620-15-0x0000000002261000-0x0000000002262000-memory.dmp

Filesize
4KB

Download
memory/2220-52-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2220-65-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download