Analysis
-
max time kernel
141s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe
-
Size
482KB
-
MD5
068906b84ebd161a9d2414f9ff97745c
-
SHA1
be5614fc857b27f28595432473c472cebcdfcd63
-
SHA256
32eb609e7e56f9ed5e31a7dec1108ec6177784ad5e90612f3ac6a4af4fcf8edc
-
SHA512
69b15993dcf16d6110ba61c25572f71f6d815ee44ba0d3219e320a9ff711bdb33343990cfbbd2fd29b4b2c8a41b3e94a628d15fc3e9a10df919688fe6f8355da
-
SSDEEP
12288:Mv8URXTdBPolarbLNpTmiwu0mB5vjZ//bNtTird:Mvxnwlsb5pmiRFfTEd
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2748 4_BK.exe 2484 Hacker.com.cn.exe -
Loads dropped DLL 3 IoCs
pid Process 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 2748 4_BK.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 4_BK.exe File opened for modification C:\Windows\Hacker.com.cn.exe 4_BK.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2748 4_BK.exe Token: SeDebugPrivilege 2484 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2484 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2748 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2748 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2748 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2748 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2748 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2748 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2748 2168 068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe 28 PID 2484 wrote to memory of 2088 2484 Hacker.com.cn.exe 30 PID 2484 wrote to memory of 2088 2484 Hacker.com.cn.exe 30 PID 2484 wrote to memory of 2088 2484 Hacker.com.cn.exe 30 PID 2484 wrote to memory of 2088 2484 Hacker.com.cn.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\068906b84ebd161a9d2414f9ff97745c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_BK.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4_BK.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786KB
MD53dfae1b8726b0b48f976d2dce5bcaeaa
SHA193ca66675eae53f397308bdb81cbecf4cfe8dff5
SHA256decfaea1fd05b66bd28af304f5fd16a742668ff2cd9c47b946be6b4ee78a7b3c
SHA5122787db9630967b372496893376a25124ed97b61b6ad7e6f03f9754d56cdccb21fb2077303b80b00745e0a083dffb98e3b9e8c6ca9c1056be55710a2b22550d7c