Analysis
-
max time kernel
141s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
067c797f52d75acc17fb63f115517145_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
067c797f52d75acc17fb63f115517145_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
067c797f52d75acc17fb63f115517145_JaffaCakes118.exe
-
Size
468KB
-
MD5
067c797f52d75acc17fb63f115517145
-
SHA1
895d9741d4b02bc85925c5ee84376ad9a21767b1
-
SHA256
c49a77f42a2c2348cd5bfb8351f601821ef23d46e8166026bd77a27b8cbc893b
-
SHA512
af58f39122747bacb733af6965d14ed0df3d16cbd0725e5bfe5c68560f3d60e86896bf18bf0a6dd7bf0522da70c83ae3ea567acc9d762a8f1b36887a2a8ef3b3
-
SSDEEP
12288:fb7jkD3v0VBRxE5MBGlcM7UdToS7UZWG1j3FLiUhf:fb3w3v8BRqEM7UdHU1j35iI
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2728 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2412 GHFHGJHNSSJDW.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 GHFHGJHNSSJDW.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\GHFHGJHNSSJDW.exe 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe File opened for modification C:\Windows\GHFHGJHNSSJDW.exe 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe File created C:\Windows\HKFX2008.BAT 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2024 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe Token: SeDebugPrivilege 2412 GHFHGJHNSSJDW.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2412 GHFHGJHNSSJDW.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2688 2412 GHFHGJHNSSJDW.exe 29 PID 2412 wrote to memory of 2688 2412 GHFHGJHNSSJDW.exe 29 PID 2412 wrote to memory of 2688 2412 GHFHGJHNSSJDW.exe 29 PID 2412 wrote to memory of 2688 2412 GHFHGJHNSSJDW.exe 29 PID 2024 wrote to memory of 2728 2024 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe 30 PID 2024 wrote to memory of 2728 2024 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe 30 PID 2024 wrote to memory of 2728 2024 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe 30 PID 2024 wrote to memory of 2728 2024 067c797f52d75acc17fb63f115517145_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\067c797f52d75acc17fb63f115517145_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\067c797f52d75acc17fb63f115517145_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\HKFX2008.BAT2⤵
- Deletes itself
PID:2728
-
-
C:\Windows\GHFHGJHNSSJDW.exeC:\Windows\GHFHGJHNSSJDW.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
468KB
MD5067c797f52d75acc17fb63f115517145
SHA1895d9741d4b02bc85925c5ee84376ad9a21767b1
SHA256c49a77f42a2c2348cd5bfb8351f601821ef23d46e8166026bd77a27b8cbc893b
SHA512af58f39122747bacb733af6965d14ed0df3d16cbd0725e5bfe5c68560f3d60e86896bf18bf0a6dd7bf0522da70c83ae3ea567acc9d762a8f1b36887a2a8ef3b3
-
Filesize
218B
MD529cd88c29bcd0d3d1772dd3c968e8096
SHA1791e256ed68e17c0f6fdd8f383063a4d40c78fe9
SHA256ba48eea8d7376cb3dbac8919278ffab139cc85846d0ef8b6d785a2f042ce7172
SHA5123f87ea00182db8223c323333bec465364d22e60a4725f4bf5aadf3064cd4d0ab3630b4b6e4f1c3895163088c6bec1d3c5c4636f22daa03c393779c1fd012aca7