Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe
-
Size
26KB
-
MD5
06acfe6fbe9b9913b33da423f3c8bc6a
-
SHA1
f92444967590968acee39e53ab0e829e9b7a5a90
-
SHA256
381781fb02d694d488c27e998855ac4aa2f6569ac8ef053accd69e9b86313683
-
SHA512
eb1576817e359eaf8e7112ec9324c39eaf850c252a197a7bb39b22d1e723e6e51bf6867b4e78d4dd815c9f66c1da013164c58e5bd3afb1ab88f10a003e51a7b3
-
SSDEEP
384:P1aRJA0ktg0/ZWw14KyXV3k8ukVSYJXKgr/r9zkH1INn0sOHK/krhBk:PP0oDm5/PIYtDrrZkVItFOLb
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 IEXPLORE.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 628 set thread context of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2868 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 628 wrote to memory of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90 PID 628 wrote to memory of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90 PID 628 wrote to memory of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90 PID 628 wrote to memory of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90 PID 628 wrote to memory of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90 PID 628 wrote to memory of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90 PID 628 wrote to memory of 2868 628 06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06acfe6fbe9b9913b33da423f3c8bc6a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2792,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:81⤵PID:3088