Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
ac180e73493ea29eb0e9d98e7537336d
-
SHA1
ec6ef66cb90ace5eaea68dc60928047b53562e36
-
SHA256
6ee124ac926cf440901714c3a47cf9baa3e85052ac2c8530b7139fb09fbed854
-
SHA512
cb20da659768e00f1aedb085dd8a410ba556c3d9ae9425dfc876fb2617e6f25c98989ee07c3d40a5cecf7abd587cb68a0dd3c29138b929cddf09956c7fe8a345
-
SSDEEP
49152:qTEFVxVbtrlYI9xq0oL4nnWKEtStHbPC6SAExuYJ8NGBKCUTjxLdTp4JCFth:VVbtrKI9xFo0nPEWC3VxuYWGMF2q
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exepid process 2696 ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe 2696 ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exedescription pid process target process PID 5092 wrote to memory of 2696 5092 ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe PID 5092 wrote to memory of 2696 5092 ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe PID 5092 wrote to memory of 2696 5092 ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe" /postdata2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses