Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 23:52

General

  • Target

    ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    ac180e73493ea29eb0e9d98e7537336d

  • SHA1

    ec6ef66cb90ace5eaea68dc60928047b53562e36

  • SHA256

    6ee124ac926cf440901714c3a47cf9baa3e85052ac2c8530b7139fb09fbed854

  • SHA512

    cb20da659768e00f1aedb085dd8a410ba556c3d9ae9425dfc876fb2617e6f25c98989ee07c3d40a5cecf7abd587cb68a0dd3c29138b929cddf09956c7fe8a345

  • SSDEEP

    49152:qTEFVxVbtrlYI9xq0oL4nnWKEtStHbPC6SAExuYJ8NGBKCUTjxLdTp4JCFth:VVbtrKI9xFo0nPEWC3VxuYWGMF2q

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ac180e73493ea29eb0e9d98e7537336d_JaffaCakes118.exe" /postdata
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

Query Registry

1
T1012

Replay Monitor

Loading Replay Monitor...

Downloads