Overview

overview

8

Static

static

3

0014ccea77...18.exe

windows7-x64

7

0014ccea77...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0014ccea773bb3d535b0bc5d90e5fc5f_JaffaCakes118.exe

  • Size

    850KB

  • MD5

    0014ccea773bb3d535b0bc5d90e5fc5f

  • SHA1

    e5c386d108b2f1dabda603850e93b29281794991

  • SHA256

    868e2e284842786e373e4f5a532871ed7f53712b1b66473d5654b04bb033e6c0

  • SHA512

    f69ac0471996c77918bf45781001559f9dc11d6f37f3a990b57b0de76fc986ea6a7ac65fe079a9c2e7da9c7b1ad757c59aa94b2531b97d008c094f59724c96c3

  • SSDEEP

    12288:OoWdBjdDhyzwgXPdlGdXbaH0wUExv5cjkXWXKWhCe//nbpDtSNTS04jC2TwtX:MDhSPKK4ExwxKkXlZSRSiMwtX

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0014ccea773bb3d535b0bc5d90e5fc5f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0014ccea773bb3d535b0bc5d90e5fc5f_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3036
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 836
        3⤵
        • Program crash
        PID:4208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 836
        3⤵
        • Program crash
        PID:1536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1116
        3⤵
        • Program crash
        PID:4916
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1124
        3⤵
        • Program crash
        PID:532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1168
        3⤵
        • Program crash
        PID:5012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1284
        3⤵
        • Program crash
        PID:5088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1176
        3⤵
        • Program crash
        PID:2496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1176
        3⤵
        • Program crash
        PID:2004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1340
        3⤵
        • Program crash
        PID:4628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1732
        3⤵
        • Program crash
        PID:1976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1288
        3⤵
        • Program crash
        PID:3928
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 3036
    1⤵
      PID:3360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036
      1⤵
        PID:4976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036
        1⤵
          PID:3156
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3036 -ip 3036
          1⤵
            PID:3672
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036
            1⤵
              PID:1044
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3036 -ip 3036
              1⤵
                PID:2368
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3036 -ip 3036
                1⤵
                  PID:2932
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036
                  1⤵
                    PID:1268
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3036 -ip 3036
                    1⤵
                      PID:3612
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:1916
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:1904
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:4112
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:2160
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:4632
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:2192
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:3228
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:2664
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2848
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:2288
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036
                      1⤵
                        PID:948
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3036 -ip 3036
                        1⤵
                          PID:2564

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\isecurity.exe
                          Filesize

                          841KB

                          MD5

                          c5a14db5284c1b7e56e59eb667cccc08

                          SHA1

                          3c409d9a6370d9deec0616918812a32711c4caf4

                          SHA256

                          75a20b9289ccf422af35aa13a797c38bf8df39c65c38904e3a8b2375c1e4d52c

                          SHA512

                          92bece318e77c74d23d632fe665d88aa6043f66d37aac6c985016ebadca341a0f0fbbe97e65e616ceb4494f6bb52f011cc64d96d3ff9501cc145da7d6092f76e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                          Filesize

                          1022B

                          MD5

                          22f774ec937f82a16377ea00c45e2e2d

                          SHA1

                          d3507cb64f688db81a4afb815dce480e5840873f

                          SHA256

                          9c2e318c32822624c2f5c6ad0f13f8bac22e96415b909972a61fb7a82990fccf

                          SHA512

                          beecf1c81b4aca97f3f7ff69f86efb5d790949572e52ba92c847f05aac4300e02e30b3031888c4d544c24cd130650e3daeaeb035637477ede68c2192334c5b59

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\{741CF7E0-90C2-4E86-AE75-8C2F41128A8B}.png
                          Filesize

                          6KB

                          MD5

                          099ba37f81c044f6b2609537fdb7d872

                          SHA1

                          470ef859afbce52c017874d77c1695b7b0f9cb87

                          SHA256

                          8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

                          SHA512

                          837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

                          Download Submit

                        • C:\Users\Public\Desktop\Internet Security.lnk
                          Filesize

                          682B

                          MD5

                          ed33a1ec584b609d942a63b07a71b7c6

                          SHA1

                          495d713c40a1ff084b82cec83066cd6ad4f21ddc

                          SHA256

                          0fa45d3f58e78a600e8e6a1fd02b1f5b0b85245806a7df1eccc96920ac0574c0

                          SHA512

                          5234792c87830aaa1957b82c9a61095fe6185ade2148291d52019a0da703f8a84ec1d06332305519a5eb43afdc8689b0abd1743f6609ac65d1e9009fd6513bb9

                          Download Submit

                        • memory/1904-26-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2288-31-0x0000000004810000-0x0000000004811000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3036-19-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-57-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-65-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-18-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-20-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-16-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-23-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-24-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-14-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-27-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-64-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-29-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-30-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-63-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-60-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-45-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-46-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-47-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-48-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-17-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-58-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/3036-59-0x0000000000400000-0x0000000000A37000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/4712-0-0x00000000004D8000-0x00000000004D9000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4712-2-0x0000000000400000-0x0000000000505000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/4712-7-0x0000000000400000-0x0000000000505000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/4712-1-0x0000000000400000-0x0000000000505000-memory.dmp

                          Filesize

                          1.0MB

                          Download