Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe
-
Size
494KB
-
MD5
06eac92f6b9f34702c3d3bd2bd9555e7
-
SHA1
390bc1b081fcc49ec8b4f5839f7b289e582027c8
-
SHA256
75ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6
-
SHA512
125b3c361c2d89bb6eaa5c95ee822268612c0d85341667a9ff53df18451723f995f4445c498da94f7521125a6cfb852f5ffd8c1efc933b9e3f607ba1c4f053c1
-
SSDEEP
6144:8ujkkw+rbv1L7AESgXqvbvewud9Tsh+xpYT7diMRVg6D098gWNlPTGQQm6agrdo9:8F+/B/Sxz2vpm7diMRaCNtTirdorJ/
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2768 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2228 lsass.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 lsass.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\lsass.exe 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe File opened for modification C:\Windows\lsass.exe 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe File created C:\Windows\GUOCYOKl.BAT 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2936 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe Token: SeDebugPrivilege 2228 lsass.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2228 lsass.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2516 2228 lsass.exe 29 PID 2228 wrote to memory of 2516 2228 lsass.exe 29 PID 2228 wrote to memory of 2516 2228 lsass.exe 29 PID 2228 wrote to memory of 2516 2228 lsass.exe 29 PID 2936 wrote to memory of 2768 2936 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe 30 PID 2936 wrote to memory of 2768 2936 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe 30 PID 2936 wrote to memory of 2768 2936 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe 30 PID 2936 wrote to memory of 2768 2936 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\GUOCYOKl.BAT2⤵
- Deletes itself
PID:2768
-
-
C:\Windows\lsass.exeC:\Windows\lsass.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD501e30256c4b18e4eb53ab1f6d4ad9683
SHA1450a08357c2774faadf58bf2a2c5280b17865994
SHA256162553d33363b4da8ebf32823247727a0fb7c198e28f9d50e7ec81ebd9209267
SHA5124a78426f8ba4b63b3add0b834e928c315a023237a81588e699f6cb6062c2dd50517a1605a6d05b505a24bf9e31c272f9e64e934aac49ca39e651479bee075e57
-
Filesize
494KB
MD506eac92f6b9f34702c3d3bd2bd9555e7
SHA1390bc1b081fcc49ec8b4f5839f7b289e582027c8
SHA25675ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6
SHA512125b3c361c2d89bb6eaa5c95ee822268612c0d85341667a9ff53df18451723f995f4445c498da94f7521125a6cfb852f5ffd8c1efc933b9e3f607ba1c4f053c1