Analysis

  • max time kernel
    141s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 13:45

General

  • Target

    068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe

  • Size

    482KB

  • MD5

    068906b84ebd161a9d2414f9ff97745c

  • SHA1

    be5614fc857b27f28595432473c472cebcdfcd63

  • SHA256

    32eb609e7e56f9ed5e31a7dec1108ec6177784ad5e90612f3ac6a4af4fcf8edc

  • SHA512

    69b15993dcf16d6110ba61c25572f71f6d815ee44ba0d3219e320a9ff711bdb33343990cfbbd2fd29b4b2c8a41b3e94a628d15fc3e9a10df919688fe6f8355da

  • SSDEEP

    12288:Mv8URXTdBPolarbLNpTmiwu0mB5vjZ//bNtTird:Mvxnwlsb5pmiRFfTEd

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_BK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_BK.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
  • C:\Windows\Hacker.com.cn.exe
    C:\Windows\Hacker.com.cn.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:2088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4_BK.exe

      Filesize

      786KB

      MD5

      3dfae1b8726b0b48f976d2dce5bcaeaa

      SHA1

      93ca66675eae53f397308bdb81cbecf4cfe8dff5

      SHA256

      decfaea1fd05b66bd28af304f5fd16a742668ff2cd9c47b946be6b4ee78a7b3c

      SHA512

      2787db9630967b372496893376a25124ed97b61b6ad7e6f03f9754d56cdccb21fb2077303b80b00745e0a083dffb98e3b9e8c6ca9c1056be55710a2b22550d7c

    • memory/2168-0-0x0000000001000000-0x0000000001084000-memory.dmp

      Filesize

      528KB

    • memory/2168-2-0x0000000001000000-0x0000000001084000-memory.dmp

      Filesize

      528KB

    • memory/2168-1-0x0000000001060000-0x0000000001061000-memory.dmp

      Filesize

      4KB

    • memory/2168-3-0x0000000001000000-0x0000000001084000-memory.dmp

      Filesize

      528KB

    • memory/2168-21-0x0000000001000000-0x0000000001084000-memory.dmp

      Filesize

      528KB

    • memory/2484-19-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2484-22-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB

    • memory/2484-24-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2748-20-0x0000000000400000-0x00000000004CE000-memory.dmp

      Filesize

      824KB