Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 03:44

General

  • Target

    acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    acc75e7e174203795154a68858b9b8ff

  • SHA1

    263f3d3a79f9fe90c7cf162fec93e5b85f5f29c4

  • SHA256

    4dd2cebb71124be2cfc3ad7f79ddb4e113c7629c22e0d4eb8ab8c372c2438610

  • SHA512

    13d2d38ff826054ce052483a2836fa2e7e1e4bc30060544de3203678648318f693d866dd95aaf0ebf20979b20729923c25f75feac2ec7b4fc21aa8e707d1d875

  • SSDEEP

    98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\ProgramData\Чистилка\Чистилка.exe
      C:\ProgramData\Чистилка\Чистилка.exe /srvcreate
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4888

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Чистилка\Чистилка.exe
    Filesize

    4.3MB

    MD5

    acc75e7e174203795154a68858b9b8ff

    SHA1

    263f3d3a79f9fe90c7cf162fec93e5b85f5f29c4

    SHA256

    4dd2cebb71124be2cfc3ad7f79ddb4e113c7629c22e0d4eb8ab8c372c2438610

    SHA512

    13d2d38ff826054ce052483a2836fa2e7e1e4bc30060544de3203678648318f693d866dd95aaf0ebf20979b20729923c25f75feac2ec7b4fc21aa8e707d1d875