Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 13:08
Static task
static1
Behavioral task
behavioral1
Sample
0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe
-
Size
439KB
-
MD5
0644ffe8b0035e3fbe98057e9800e85d
-
SHA1
3ee09fac1dbb768c1fc1c8a75e67256a851b210a
-
SHA256
b213d9d8de44806565f51c6dcc0eca2468db564f19fc8651f505a32476ba8f31
-
SHA512
cc891aa8a29bf6cc680bf523d847f8ab40a3fc8c9a2213eb0721bfdbd58f694bd7f529b3c05d43539e0afe3e79bdf86fc281d0eaa71a81ff4712cfbe031ad408
-
SSDEEP
12288:cYnMa876yH8pllF6kNN4kWumNtTirdt9+T:cYMaeilF137GTEdvq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3020 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2600 windex.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 windex.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\windex.exe 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe File created C:\Windows\UNINSTAL.BAT 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe File created C:\Windows\windex.exe 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe Token: SeDebugPrivilege 2600 windex.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2600 windex.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2480 2600 windex.exe 29 PID 2600 wrote to memory of 2480 2600 windex.exe 29 PID 2600 wrote to memory of 2480 2600 windex.exe 29 PID 2600 wrote to memory of 2480 2600 windex.exe 29 PID 2444 wrote to memory of 3020 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 30 PID 2444 wrote to memory of 3020 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 30 PID 2444 wrote to memory of 3020 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 30 PID 2444 wrote to memory of 3020 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 30 PID 2444 wrote to memory of 3020 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 30 PID 2444 wrote to memory of 3020 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 30 PID 2444 wrote to memory of 3020 2444 0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0644ffe8b0035e3fbe98057e9800e85d_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\UNINSTAL.BAT2⤵
- Deletes itself
PID:3020
-
-
C:\Windows\windex.exeC:\Windows\windex.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5835e6160d55e1f8e4ac5928d54d29eef
SHA1e8b97c3d4c27da184ed670b57ec0d6f5361445b9
SHA2562dd29f40bafec2352611e4af2c582e2e60afe613dacdbc3153bfa6021de0e437
SHA512a21be038e0c156af2d3e0b0e7e78641b6b6eaf8bdbfafd7e064818bfe7b41b3db9fe9036ecc1f1e6ce31de876c1e6166ae78db1991ca3b4ee8baf8ac9fed4d00
-
Filesize
439KB
MD50644ffe8b0035e3fbe98057e9800e85d
SHA13ee09fac1dbb768c1fc1c8a75e67256a851b210a
SHA256b213d9d8de44806565f51c6dcc0eca2468db564f19fc8651f505a32476ba8f31
SHA512cc891aa8a29bf6cc680bf523d847f8ab40a3fc8c9a2213eb0721bfdbd58f694bd7f529b3c05d43539e0afe3e79bdf86fc281d0eaa71a81ff4712cfbe031ad408