941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b411c591ce52767541990585dfc460bc_JaffaCakes118.exe
Size

1.4MB
MD5

b411c591ce52767541990585dfc460bc
SHA1

d931030a12a2b517df88fef43141600bd8986a3c
SHA256

941e5dcf13258bec1ce9084a39493b8f425aab5bed52d7a5fba6533a3efacea5
SHA512

6d76f90be6a46fdc676022cc40038df64a95da98ded25f883afb372c7454b5e4fdaa91b181a00ba51cdacdf0d25e7f8205fc14e2c880cc220f4dc1a995e25578
SSDEEP

24576:aqTha10lf8MKX+SxCTUNPfD6W9u+vYOZBDbGo/A5HA:aqTvZ8M3YCINPmx4BDbGo/A6

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b411c591ce52767541990585dfc460bc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2864	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2080	b411c591ce52767541990585dfc460bc_JaffaCakes118.exe
2080	b411c591ce52767541990585dfc460bc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b411c591ce52767541990585dfc460bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b411c591ce52767541990585dfc460bc_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÃÀÅ®Í¼Æ¬.jpg

Filesize
254KB

MD5
a3291c4aaf432ffcabf056db79532d28

SHA1
1c177583164120f229e6a718c95a76f53c3b8eff

SHA256
7863fe13fad45db9ea652cd8eda83f04369f43b44f254c64b87e53952f4f684d

SHA512
9c99b51ccc0dcf6baff30e008d08117eb4e57337c61899e01f568859c130f399a1848e1722de1cc70cd3f7116f2c15fb85adbc716ebce936035430b762febd57

Download Submit
memory/2080-1-0x00000000022A0000-0x00000000022A2000-memory.dmp

Filesize
8KB

Download
memory/2864-2-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2864-3-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2864-19-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads