Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 13:25

General

  • Target

    0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe

  • Size

    820KB

  • MD5

    0666dc953174e2532fc7e2c6a619ed29

  • SHA1

    64570ae1f41a4c8792f31718194c06eeda3af0d1

  • SHA256

    c4b744bc109c8d0330442c880cbbd78f4845a3bb72e3f1bf377331230d47ff85

  • SHA512

    82d0ebf649597978c197b83651d2eea7210f435724d4a12066052d9117bd40af21645b9f95a5b3cf081fff2b399caeda903e1ab0781c4129a9cfe9b6a1a4ba2c

  • SSDEEP

    24576:UcnflP/yxRdg1n7MP+h202fVmEUaFdt/6nu4ucDdw3xbkE:XlP/yt6o+2M7MtCuadw3iE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0666dc953174e2532fc7e2c6a619ed29_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe
      "C:\Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1884
    • C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c Deleteme.bat
        3⤵
          PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

      Filesize

      132B

      MD5

      86b553fba6309de0e4ad6dd0b6b7361d

      SHA1

      4a26abf7ab216bed7ebbe5b6562a88b19f3e73b7

      SHA256

      39c3919c39670fda6ddfefa7323260e1609339aacc97fe51b1578b5ea7148e75

      SHA512

      ec1310a515b591157ec152e23f93dd591419d74df5655e49a26346102664c3ff17efa8eeb617d311bb29dd76c4c5972f4f0d74e7b33ef90f23959dcf48ea99ab

    • C:\Users\Admin\AppData\Local\Temp\loader.exe

      Filesize

      350KB

      MD5

      5564293354d9d684d6a2bfbc9be54e5b

      SHA1

      72b56c9ec3ac1c7c9011f7d02bf9c5a7517f3b19

      SHA256

      c9291e111b15370a6546ce5e0848018b4ce15a1a277197e3b5a73389508f06cd

      SHA512

      f5cd649482ff56babe138350efbc31b18e7270fb32ee286eb9bf60d3025099ad059dbfb85347a6a60fc87eb07339605e53e5c93af1784baa5f4c4617cd9aeb2c

    • \Users\Admin\AppData\Local\Temp\Master Of The Voice1.7.exe

      Filesize

      375KB

      MD5

      de5b0dd3a16c1ec9cf307f13525b6657

      SHA1

      5be01b92fa813f51306e08d472b42e8c62c3637c

      SHA256

      69ba7530c540c915a71c444af52104351f00aaddd779d95891f2dacc0f30a3a8

      SHA512

      f6498838cf97f77fb180964e8a26221dbf96df68415053a2a3edc550db94f01bdae37f9e6e368be3ee423184984b585d8fb8eb90a2d547185a1fc269264b11ac

    • memory/1884-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/1884-42-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

    • memory/1884-53-0x0000000000400000-0x00000000004CC000-memory.dmp

      Filesize

      816KB

    • memory/1884-13-0x0000000000400000-0x00000000004CC000-memory.dmp

      Filesize

      816KB

    • memory/1884-26-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/1884-25-0x00000000003B0000-0x00000000003C9000-memory.dmp

      Filesize

      100KB

    • memory/1884-29-0x0000000000540000-0x0000000000541000-memory.dmp

      Filesize

      4KB

    • memory/1884-28-0x00000000003F0000-0x00000000003F1000-memory.dmp

      Filesize

      4KB

    • memory/1884-54-0x0000000000270000-0x00000000002A0000-memory.dmp

      Filesize

      192KB

    • memory/1884-52-0x0000000000400000-0x00000000004CC000-memory.dmp

      Filesize

      816KB

    • memory/1884-37-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

    • memory/1884-14-0x0000000000270000-0x00000000002A0000-memory.dmp

      Filesize

      192KB

    • memory/1884-41-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/1884-40-0x00000000003E0000-0x00000000003E1000-memory.dmp

      Filesize

      4KB

    • memory/1884-39-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

    • memory/2288-36-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2288-50-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/2288-31-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/2288-23-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/2452-8-0x0000000002940000-0x0000000002A0C000-memory.dmp

      Filesize

      816KB

    • memory/2452-10-0x0000000002940000-0x0000000002A0C000-memory.dmp

      Filesize

      816KB

    • memory/2452-22-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB