Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 17:47
Behavioral task
behavioral1
Sample
b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe
-
Size
411KB
-
MD5
b467fe4f0846e590de42bd04a583dfa8
-
SHA1
1bbd03423c58e8e586f30198b21fc381a7fc4c28
-
SHA256
b6913d6f70207f0f14aa1b0f7784cc465b163a5eefbe7095f5a29a2046a5f277
-
SHA512
32abb082ca0b2dd67d17d188e377d2162c04727e45a2b594136a0090e2106c727056e3941c8e81c25ae6c6b0ce2383749efbc273d5276fbc894b4b8f5a041a06
-
SSDEEP
6144:4zg9hGPXBXDp4aufkZx5/Txkis+4sukqH8x7RhtNGLM2cKhkGW9zD3oqEoxJGaaA:UZXVufk1GEFqHgaw2ZkZ9n3o8xJc6v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2900-0-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral2/memory/2900-2-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral2/memory/2900-3-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral2/memory/2900-17-0x0000000000400000-0x000000000052B000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exepid process 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exepid process 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exepid process 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe 2900 b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b467fe4f0846e590de42bd04a583dfa8_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2900