Overview

overview

7

Static

static

3

01946b24ac...18.exe

windows7-x64

7

01946b24ac...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 01:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    01946b24acdcf38792d9f475175cc8b9_JaffaCakes118.exe

  • Size

    507KB

  • MD5

    01946b24acdcf38792d9f475175cc8b9

  • SHA1

    624ef3e6ba6b660f835a87266cdc8e218934e21e

  • SHA256

    d2a639e2f3324f3b535c41ee312a5b7053904cc723aa186278d0ab902d41d3d0

  • SHA512

    3a050a58969e54762eda5fc4cda6c975f1348ab748e19054afe8a049ff0966c2e6c7a040693548586da846d30b8d5007ee6870259bc837d229cd0e026619b017

  • SSDEEP

    12288:N+ySh7Yy7Sn43AFuhSTLJ9InTbS5gv9W22VsNtTird:N1g7Yel35hSHJ9+TbtU2UsTEd

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01946b24acdcf38792d9f475175cc8b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\01946b24acdcf38792d9f475175cc8b9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
  • C:\Windows\Hacker.com.cn.ini
    C:\Windows\Hacker.com.cn.ini
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2736

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Hacker.com.cn.ini
            Filesize

            341KB

            MD5

            2108cb615737c08af9f32e9975d7593f

            SHA1

            4e14a1bdd7551a7274afc2d1a4a0989df49a9fde

            SHA256

            c2c08a1f17c86e946eb0e03dd5d45c6ff77efc5e4127ac07ceb45e0c252b08a2

            SHA512

            5c1be127d1748abd8af4da146c555bc7d480dfa6b533dc62a75e476b3a58b65894bed806a7ab8ff74cb7e7e4700cd27d7ce4a43b02d7ce3cf09914111c078d8e

            Download Submit

          • memory/1180-20-0x0000000000300000-0x0000000000301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1180-22-0x0000000000400000-0x00000000004C4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/1180-24-0x0000000000300000-0x0000000000301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1984-19-0x0000000000400000-0x00000000004C4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/2432-21-0x0000000001000000-0x000000000108B000-memory.dmp

            Filesize

            556KB

            Download

          • memory/2432-5-0x0000000001000000-0x000000000108B000-memory.dmp

            Filesize

            556KB

            Download

          • memory/2432-2-0x0000000001000000-0x000000000108B000-memory.dmp

            Filesize

            556KB

            Download

          • memory/2432-1-0x0000000001068000-0x0000000001069000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2432-0-0x0000000001000000-0x000000000108B000-memory.dmp

            Filesize

            556KB

            Download