654eebb38506e36b159f0dda7b316e2b726548145a179cec49b32bb030d5aba8

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
Size

18.5MB
MD5

a9360745871d11e86208dfc05389ed87
SHA1

88c09ba1d029e0c6188a9be0281f3decc728ffb3
SHA256

654eebb38506e36b159f0dda7b316e2b726548145a179cec49b32bb030d5aba8
SHA512

75e1fd50661e07cc75556bc569218dc2b964dda601f950444c5db2598919e521a537b4a2fba802c21330fe93967d958dff9ffde945d26230d3a591f8ad08888f
SSDEEP

393216:C80lVaVagn4Htq0c0M9BPU7R4f7epIhmFdvn992eISHz/K6vH901k:CnVaEgn4NqUyPU7yfOcmbvn72nST/1v7

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 11 IoCs

pid	Process
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
2868	a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9360745871d11e86208dfc05389ed87_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\ui\res\PF_logo.png

Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\a\asdk.dll

Filesize
1.4MB

MD5
5b4a90d8d2c61f0e6fe2ffef347696e9

SHA1
23a45252deeba6f0faff3e8a17d503d1ccc42009

SHA256
89a90ef4e7db39e6c89f37527c66ca3ba14eee3ac3dc4fb40aae347fb2ed98b1

SHA512
accbd10c1d7698c19db170ec0e42a955a71e9a6b3286307778969d581f6f1f27c6825d73caf8e9ec8e93208115659c1522a69923ac47ea9603b907f4843ae166

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\g\gtapi_signed.dll

Filesize
71KB

MD5
61bc40d1fad9e0faa9a07219b90ba0e4

SHA1
5b5c3badedba915707000d2047eaf13f27b8925e

SHA256
89e157a4f61d7d18180cb7f901c0095da3b7a5cc5a9fd58d710099e5f0ee505a

SHA512
fa341aa975c471082b4b6c380f794d1e9ab3939382972cfb9e1dbb3491f68296ad1cedc8f03736921c8e133f62432997de29642e223c2a97f1cab5ce91d68af9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\p\pfBL.dll

Filesize
1.9MB

MD5
6f7e7f72f9a53c48dffdd70dfec4f88c

SHA1
655d4791f4bffe14dbaf68b5bb8270e93fadbef7

SHA256
22abd21cd2fe21133ec7329a71effe4d4b3181661f1e5cc5e269434c91b0a7b4

SHA512
af0a9e6d0568ae388c93dc33660b1968390fa69ec796079b340a17ec6b7dfa06b70f537c18d6db61784d71f4feec13ac93fcd9735a49635f7689ab206cd43827

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1AC3.tmp\ui\pfUI.dll

Filesize
4.9MB

MD5
fb812a42fe0f4a54918fabf21b66f29a

SHA1
3e7d2434f5d62df838c15c4c4c0382a58f2b1819

SHA256
54d26ce44c6c5482ede4d3d64b02f2c8fbd58cb51d9be50fc3889bc3769ae2a0

SHA512
2950a32d38dea4465bc8949a6b39bba1854cb04e3b79164ef0e55c54510d60cf2aa24161b9fe256a6fb4b27bb5b1ea61110442a712681cc7d51630ae66f7666a

Download Submit
memory/2868-117-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2868-135-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download