Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 00:46

General

  • Target

    ac4a08f756216de41b0364bf62b44f82_JaffaCakes118.exe

  • Size

    874KB

  • MD5

    ac4a08f756216de41b0364bf62b44f82

  • SHA1

    aee730297dd1a1700bbf5ee4b10df790e267b2a3

  • SHA256

    53f4320945ce77a43d8cec88ee3ae817573bac4e33189d47043238b23aa77fbf

  • SHA512

    1973ac1707d93110a21427a46e2c8c579f5c8fa9c509a401a2f6f676f640f1b49eaa8ac0e14bca5cb8e6981064ac6931fe04b0e78799e58720c6b1e619f689f1

  • SSDEEP

    12288:1LJmPlzSnSXGbFFYd7PfxmbKHBkTTkW5Bdhn4ltH80xjxkxQuZwEjFTa1gG1+QjC:mPRwUdF0akfkYh4lW0xjWJhotjyN0

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac4a08f756216de41b0364bf62b44f82_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac4a08f756216de41b0364bf62b44f82_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2308
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4608
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1592
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4128
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:5080
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2140
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:3380
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
        PID:4324
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4680
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:4356
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1432
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:2252
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Windows\explorer.exe
            explorer.exe /LOADSAVEDWINDOWS
            2⤵
              PID:4548
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Modifies Installed Components in the registry
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4024

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Modify Registry

          3
          T1112

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Discovery

          Query Registry

          4
          T1012

          Peripheral Device Discovery

          2
          T1120

          System Information Discovery

          5
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\IconCache.db
            Filesize

            6.0MB

            MD5

            4651fac841b54c1aa56814e507c2973e

            SHA1

            c915fe7477530d2eb5dae0534445352a90cd8651

            SHA256

            e4165f44a5b5b36243e9c93ec9b91cbda75dd249c25e847eb8f3fc8dc23708f7

            SHA512

            0db243a4b02b23abe0683e9e14dff921ad031c210c2d0f760830c05c5dfd6c86c795b92cee6f6230d395a1df6da2b043b82f477989d58fdbcd668c6a90004428

          • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
            Filesize

            1022B

            MD5

            578313ab69ab742124071fb906061362

            SHA1

            6be1b2230e7c1315ea759ac8ea992d4de9bd442d

            SHA256

            6ab7c1a506cb18b1364953283c17dabfdb404f524bd4642ee72e1822bc649519

            SHA512

            aad77f1edd701c16ecef3ed1230601f2dd901fafc0532676de6a0ec579250ea889a530f511358d2404c537fafa486e9d5d2af749be8bc2e20d163ae7d716a970

          • C:\Users\Admin\AppData\Local\Temp\{4EA2F7AA-516A-4709-9CCC-113FCE695FDB}.png
            Filesize

            6KB

            MD5

            099ba37f81c044f6b2609537fdb7d872

            SHA1

            470ef859afbce52c017874d77c1695b7b0f9cb87

            SHA256

            8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

            SHA512

            837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

          • memory/2308-30-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-33-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-6-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-57-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-4-0x00000000009EB000-0x00000000009EC000-memory.dmp
            Filesize

            4KB

          • memory/2308-13-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-56-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-2-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-55-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-0-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-31-0x0000000000F30000-0x0000000000F40000-memory.dmp
            Filesize

            64KB

          • memory/2308-1-0x0000000000F30000-0x0000000000F40000-memory.dmp
            Filesize

            64KB

          • memory/2308-32-0x00000000009EB000-0x00000000009EC000-memory.dmp
            Filesize

            4KB

          • memory/2308-5-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-34-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-41-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-42-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-43-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-44-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-49-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-50-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-51-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/2308-54-0x0000000000400000-0x0000000000A20000-memory.dmp
            Filesize

            6.1MB

          • memory/4024-22-0x0000000004550000-0x0000000004551000-memory.dmp
            Filesize

            4KB

          • memory/4128-8-0x00000000029E0000-0x00000000029E1000-memory.dmp
            Filesize

            4KB

          • memory/4680-15-0x00000000042F0000-0x00000000042F1000-memory.dmp
            Filesize

            4KB