Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe
-
Size
176KB
-
MD5
0676b6c3265e4b4446c5cebef2b41002
-
SHA1
7a5118be6f8cc0698792a34623d5ce9b00a356b3
-
SHA256
507dcbf1e05e027dd305018644ee3f8ff254f5e2f377f6d35556216f7276165f
-
SHA512
04938ae1c0168fb06b59429fee79540e95ddf11fdf613e7f8cdaf56483c7924c39fecfd28691a6c4549e74a1077cc1615618506c66b0febf195bda78125b0f78
-
SSDEEP
3072:ePcmR9f7C77u9MwkfbduCW9ehzCM4CS56Zhlk8op4SFCc4ZTBf5nV7N:ePcCf7C77u9MwkWexv4/YVTBBnV7
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\KsDQgAKT.dll 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe File created C:\Windows\system32\drivers\etc\KsDQgAKT.dll 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ÎÞÓïÖС£¡£¡£\Parameters\ServiceDLL = "%SystemRoot%\\system32\\drivers\\etc\\KsDQgAKT.dll" 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2736 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2736 svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\PH2WiD8w6P.ini 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe File created C:\Windows\SysWOW64\401087eaec0a044beea08790385a315f.del 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1044 0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2736 svchost.exe 2736 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0676b6c3265e4b4446c5cebef2b41002_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD5edd34ec1323bd1962955ae9e10e17bf1
SHA12cc403bb131353904a5fda11cba35a2f97529fd9
SHA256fbdbd4e62d22a7e05235b12e21f837a5e749da4b99dc051a343d691d81b03a90
SHA51202696b2aed5e7e1df03fcbd246865b29b7100534f4577fe9ee281bd6be8b368887bec90c2fe429519e50878bb63a03067eefc94ba2b60d35e26cf8992afd649d
-
Filesize
137KB
MD5ee139c2f3e9de095fb64cca3f28a2ff3
SHA1bc00e013e2071d1ca0b79d1b0f51701745440526
SHA256c7514c62cf49a666727fa4e36d102919ed22321cff5b12baeae8332b319ebf54
SHA512abf2d5b52310eed2089841796cdafd4ef8b26d1e2c2c29874d7090967515fa45d3d0ebf1dc84f5059ac438dcecc9405eca49f6a388618f14192aad0fd10bd6df