Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
-
Size
154KB
-
MD5
06cc2bf552ab081d6ed474fd13fb250d
-
SHA1
ac25b750a6e6ef426a47059e857e4507255c6fd0
-
SHA256
4778db65938e7531e308dd893851c71db03dcca57858d14156d4ceaa2c11b39e
-
SHA512
1f2fab4e16614fe74f4eb22221d75779e835e563184e37957006d25bed14d9453c2fae083acbb4752977ba18d9bafa42b6e67601188614122209d31f678f28bd
-
SSDEEP
3072:M3Pnai+j6RmtzBSfQgcbbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVU7UojkdJ:Myj6ezBCQgywvP6bQ7yMP+DE827UBJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3040 cmd.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fsmgmt.dll 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Token: SeRestorePrivilege 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Token: SeBackupPrivilege 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Token: SeRestorePrivilege 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1196 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 21 PID 3068 wrote to memory of 3040 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 28 PID 3068 wrote to memory of 3040 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 28 PID 3068 wrote to memory of 3040 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 28 PID 3068 wrote to memory of 3040 3068 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 28
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"2⤵
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat3⤵
- Deletes itself
PID:3040
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237B
MD5f51f5958745b17fdbd1c8868aa693a5e
SHA108dbb2be1ebfa9811901440fdec933789c33294c
SHA256225b48155d382d72fefcf065a13d951c4a9b09e909ee27c7b02a1cca97c15fe3
SHA512ab2de50155f20b75cb55c327ec27ce0ed37bb10823830c686c90f6279136bc284b6100012c440812b7f79a2b9e467d223b883e2d08e767cdecc17daa0e6b9c5e