Analysis

  • max time kernel
    148s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 11:25

General

  • Target

    058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe

  • Size

    225KB

  • MD5

    058e65cc5c8b62de498e338e97d3ec3e

  • SHA1

    f0bb915425b732dc0ffebeabf3b650a1d4528fbd

  • SHA256

    21b69f6e7ed146f49d0036fad6443ef2f9dadff438c54d7c8d6d24704b44b8a3

  • SHA512

    eb7c3dcbf9571723193528d6fd3d2422d0753ad0f7e1dd06f292ac9eb73fd11d1f88364d973694a2a277683fe77996a81b2f907c13cc5e53a7db07546d6a25a3

  • SSDEEP

    6144:CBob4HOMvkodK1YoFeasedwvP6bQ7yMP+DE827D1w:CBeOlvk9Fjse+6b7MP+Dd2vG

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 22 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\draft32.exe
      C:\Windows\system32\draft32.exe 536 "C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\draft32.exe
        C:\Windows\system32\draft32.exe 528 "C:\Windows\SysWOW64\draft32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\draft32.exe
          C:\Windows\system32\draft32.exe 540 "C:\Windows\SysWOW64\draft32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\SysWOW64\draft32.exe
            C:\Windows\system32\draft32.exe 524 "C:\Windows\SysWOW64\draft32.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1140
            • C:\Windows\SysWOW64\draft32.exe
              C:\Windows\system32\draft32.exe 532 "C:\Windows\SysWOW64\draft32.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Writes to the Master Boot Record (MBR)
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\SysWOW64\draft32.exe
                C:\Windows\system32\draft32.exe 552 "C:\Windows\SysWOW64\draft32.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Writes to the Master Boot Record (MBR)
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:320
                • C:\Windows\SysWOW64\draft32.exe
                  C:\Windows\system32\draft32.exe 556 "C:\Windows\SysWOW64\draft32.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Writes to the Master Boot Record (MBR)
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1800
                  • C:\Windows\SysWOW64\draft32.exe
                    C:\Windows\system32\draft32.exe 544 "C:\Windows\SysWOW64\draft32.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Writes to the Master Boot Record (MBR)
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2340
                    • C:\Windows\SysWOW64\draft32.exe
                      C:\Windows\system32\draft32.exe 564 "C:\Windows\SysWOW64\draft32.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Writes to the Master Boot Record (MBR)
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1660
                      • C:\Windows\SysWOW64\draft32.exe
                        C:\Windows\system32\draft32.exe 560 "C:\Windows\SysWOW64\draft32.exe"
                        11⤵
                        • Executes dropped EXE
                        • Writes to the Master Boot Record (MBR)
                        • Drops file in System32 directory
                        • Modifies registry class
                        PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\draft32.exe
    Filesize

    225KB

    MD5

    058e65cc5c8b62de498e338e97d3ec3e

    SHA1

    f0bb915425b732dc0ffebeabf3b650a1d4528fbd

    SHA256

    21b69f6e7ed146f49d0036fad6443ef2f9dadff438c54d7c8d6d24704b44b8a3

    SHA512

    eb7c3dcbf9571723193528d6fd3d2422d0753ad0f7e1dd06f292ac9eb73fd11d1f88364d973694a2a277683fe77996a81b2f907c13cc5e53a7db07546d6a25a3

  • memory/320-124-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/320-122-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/320-129-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1140-112-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1140-116-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1520-146-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1520-148-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1660-140-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1660-142-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1660-147-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1800-135-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1800-130-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1800-128-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1912-111-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1912-107-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/1912-105-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2040-123-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2040-117-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2040-121-0x0000000002CE0000-0x0000000002D94000-memory.dmp
    Filesize

    720KB

  • memory/2340-134-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2340-136-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2340-141-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2348-50-0x00000000028C0000-0x00000000028C1000-memory.dmp
    Filesize

    4KB

  • memory/2348-22-0x0000000002370000-0x0000000002371000-memory.dmp
    Filesize

    4KB

  • memory/2348-20-0x0000000002350000-0x0000000002351000-memory.dmp
    Filesize

    4KB

  • memory/2348-19-0x0000000002320000-0x0000000002321000-memory.dmp
    Filesize

    4KB

  • memory/2348-18-0x0000000002330000-0x0000000002331000-memory.dmp
    Filesize

    4KB

  • memory/2348-17-0x0000000002300000-0x0000000002301000-memory.dmp
    Filesize

    4KB

  • memory/2348-16-0x0000000002310000-0x0000000002311000-memory.dmp
    Filesize

    4KB

  • memory/2348-15-0x00000000005A0000-0x00000000005A1000-memory.dmp
    Filesize

    4KB

  • memory/2348-14-0x00000000022F0000-0x00000000022F1000-memory.dmp
    Filesize

    4KB

  • memory/2348-13-0x00000000003E0000-0x00000000003E1000-memory.dmp
    Filesize

    4KB

  • memory/2348-12-0x00000000003F0000-0x00000000003F1000-memory.dmp
    Filesize

    4KB

  • memory/2348-11-0x00000000003B0000-0x00000000003B1000-memory.dmp
    Filesize

    4KB

  • memory/2348-10-0x00000000003C0000-0x00000000003C1000-memory.dmp
    Filesize

    4KB

  • memory/2348-8-0x00000000003A0000-0x00000000003A1000-memory.dmp
    Filesize

    4KB

  • memory/2348-7-0x0000000000360000-0x0000000000361000-memory.dmp
    Filesize

    4KB

  • memory/2348-6-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/2348-5-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

  • memory/2348-51-0x00000000028B0000-0x00000000028B1000-memory.dmp
    Filesize

    4KB

  • memory/2348-63-0x0000000002C70000-0x0000000002C71000-memory.dmp
    Filesize

    4KB

  • memory/2348-64-0x0000000002D50000-0x0000000002E04000-memory.dmp
    Filesize

    720KB

  • memory/2348-62-0x0000000002C80000-0x0000000002C81000-memory.dmp
    Filesize

    4KB

  • memory/2348-61-0x0000000002C50000-0x0000000002C51000-memory.dmp
    Filesize

    4KB

  • memory/2348-60-0x0000000002C60000-0x0000000002C61000-memory.dmp
    Filesize

    4KB

  • memory/2348-59-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
    Filesize

    4KB

  • memory/2348-58-0x0000000002B00000-0x0000000002B01000-memory.dmp
    Filesize

    4KB

  • memory/2348-57-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
    Filesize

    4KB

  • memory/2348-56-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
    Filesize

    4KB

  • memory/2348-55-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
    Filesize

    4KB

  • memory/2348-54-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
    Filesize

    4KB

  • memory/2348-53-0x0000000002910000-0x0000000002911000-memory.dmp
    Filesize

    4KB

  • memory/2348-52-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
    Filesize

    4KB

  • memory/2348-24-0x0000000002390000-0x0000000002391000-memory.dmp
    Filesize

    4KB

  • memory/2348-43-0x0000000002830000-0x0000000002831000-memory.dmp
    Filesize

    4KB

  • memory/2348-49-0x0000000002890000-0x0000000002891000-memory.dmp
    Filesize

    4KB

  • memory/2348-48-0x00000000028A0000-0x00000000028A1000-memory.dmp
    Filesize

    4KB

  • memory/2348-47-0x0000000002870000-0x0000000002871000-memory.dmp
    Filesize

    4KB

  • memory/2348-46-0x0000000002880000-0x0000000002881000-memory.dmp
    Filesize

    4KB

  • memory/2348-45-0x0000000002850000-0x0000000002851000-memory.dmp
    Filesize

    4KB

  • memory/2348-44-0x0000000002860000-0x0000000002861000-memory.dmp
    Filesize

    4KB

  • memory/2348-42-0x0000000002840000-0x0000000002841000-memory.dmp
    Filesize

    4KB

  • memory/2348-91-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2348-92-0x0000000000320000-0x0000000000350000-memory.dmp
    Filesize

    192KB

  • memory/2348-1-0x0000000000320000-0x0000000000350000-memory.dmp
    Filesize

    192KB

  • memory/2348-21-0x0000000002340000-0x0000000002341000-memory.dmp
    Filesize

    4KB

  • memory/2348-0-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2348-2-0x0000000000250000-0x0000000000256000-memory.dmp
    Filesize

    24KB

  • memory/2348-3-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

  • memory/2348-4-0x0000000000350000-0x0000000000351000-memory.dmp
    Filesize

    4KB

  • memory/2348-9-0x0000000000390000-0x0000000000391000-memory.dmp
    Filesize

    4KB

  • memory/2348-23-0x0000000002360000-0x0000000002361000-memory.dmp
    Filesize

    4KB

  • memory/2348-37-0x0000000002440000-0x0000000002441000-memory.dmp
    Filesize

    4KB

  • memory/2348-36-0x0000000002450000-0x0000000002451000-memory.dmp
    Filesize

    4KB

  • memory/2348-35-0x0000000002420000-0x0000000002421000-memory.dmp
    Filesize

    4KB

  • memory/2348-34-0x0000000002430000-0x0000000002431000-memory.dmp
    Filesize

    4KB

  • memory/2348-33-0x0000000002400000-0x0000000002401000-memory.dmp
    Filesize

    4KB

  • memory/2348-32-0x0000000002410000-0x0000000002411000-memory.dmp
    Filesize

    4KB

  • memory/2348-31-0x00000000023E0000-0x00000000023E1000-memory.dmp
    Filesize

    4KB

  • memory/2348-30-0x00000000023F0000-0x00000000023F1000-memory.dmp
    Filesize

    4KB

  • memory/2348-29-0x00000000023C0000-0x00000000023C1000-memory.dmp
    Filesize

    4KB

  • memory/2348-28-0x00000000023D0000-0x00000000023D1000-memory.dmp
    Filesize

    4KB

  • memory/2348-27-0x00000000023A0000-0x00000000023A1000-memory.dmp
    Filesize

    4KB

  • memory/2348-26-0x00000000023B0000-0x00000000023B1000-memory.dmp
    Filesize

    4KB

  • memory/2348-25-0x0000000002380000-0x0000000002381000-memory.dmp
    Filesize

    4KB

  • memory/2668-71-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2668-79-0x00000000007C0000-0x00000000007C1000-memory.dmp
    Filesize

    4KB

  • memory/2668-72-0x0000000000250000-0x0000000000280000-memory.dmp
    Filesize

    192KB

  • memory/2668-73-0x0000000000290000-0x0000000000291000-memory.dmp
    Filesize

    4KB

  • memory/2668-100-0x0000000000250000-0x0000000000280000-memory.dmp
    Filesize

    192KB

  • memory/2668-99-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2668-97-0x0000000002CD0000-0x0000000002D84000-memory.dmp
    Filesize

    720KB

  • memory/2668-93-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2668-74-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

  • memory/2668-75-0x0000000000360000-0x0000000000361000-memory.dmp
    Filesize

    4KB

  • memory/2668-76-0x0000000000380000-0x0000000000381000-memory.dmp
    Filesize

    4KB

  • memory/2668-77-0x00000000003A0000-0x00000000003A1000-memory.dmp
    Filesize

    4KB

  • memory/2668-78-0x00000000007A0000-0x00000000007A1000-memory.dmp
    Filesize

    4KB

  • memory/2668-88-0x0000000002430000-0x0000000002431000-memory.dmp
    Filesize

    4KB

  • memory/2668-80-0x00000000007E0000-0x00000000007E1000-memory.dmp
    Filesize

    4KB

  • memory/2668-81-0x0000000001F30000-0x0000000001F31000-memory.dmp
    Filesize

    4KB

  • memory/2668-82-0x0000000001F50000-0x0000000001F51000-memory.dmp
    Filesize

    4KB

  • memory/2668-83-0x0000000001F70000-0x0000000001F71000-memory.dmp
    Filesize

    4KB

  • memory/2668-84-0x0000000002000000-0x0000000002001000-memory.dmp
    Filesize

    4KB

  • memory/2668-85-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
    Filesize

    4KB

  • memory/2668-86-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
    Filesize

    4KB

  • memory/2668-87-0x0000000001FE0000-0x0000000001FE1000-memory.dmp
    Filesize

    4KB

  • memory/2960-98-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2960-106-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

  • memory/2960-101-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB