Analysis
-
max time kernel
129s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe
-
Size
26KB
-
MD5
06acfe6fbe9b9913b33da423f3c8bc6a
-
SHA1
f92444967590968acee39e53ab0e829e9b7a5a90
-
SHA256
381781fb02d694d488c27e998855ac4aa2f6569ac8ef053accd69e9b86313683
-
SHA512
eb1576817e359eaf8e7112ec9324c39eaf850c252a197a7bb39b22d1e723e6e51bf6867b4e78d4dd815c9f66c1da013164c58e5bd3afb1ab88f10a003e51a7b3
-
SSDEEP
384:P1aRJA0ktg0/ZWw14KyXV3k8ukVSYJXKgr/r9zkH1INn0sOHK/krhBk:PP0oDm5/PIYtDrrZkVItFOLb
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 IEXPLORE.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2944 set thread context of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2964 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28 PID 2944 wrote to memory of 2964 2944 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:2964
-