53a7a2dc2c68e8d951408cc7e9c5861a218ebdfa4c8c764944aba18a579103b5

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe
Size

373KB
MD5

097e63402bea084b2cabd589a91a2694
SHA1

e5e3c37f9ec5ced36c02d8f3b4dd878c5a95dd27
SHA256

53a7a2dc2c68e8d951408cc7e9c5861a218ebdfa4c8c764944aba18a579103b5
SHA512

5023b684371378b05cfde51eefc721676f8a029b52d0fa41100a85a57b9cd7d76162db6404d1533d63f64aa2c054292e98f878ed74899b0a10f826bd5d431836
SSDEEP

6144:0d4gFGIBFF2x2lOa/jCktNNYQ1nHjKZ7EleehDnE8L42nVW5GJZ2tNYLj8MfsYIv:0dRZBFUszxtNNYQ1HjKAeCDnEuVzYKjm

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2440	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe
2440	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 3028 wrote to memory of 2440	3028	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	28
PID 2440 wrote to memory of 1192	2440	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	21
PID 2440 wrote to memory of 1192	2440	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	21
PID 2440 wrote to memory of 1192	2440	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	21
PID 2440 wrote to memory of 1192	2440	097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\097e63402bea084b2cabd589a91a2694_JaffaCakes118.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-86-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1192-89-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2440-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2440-83-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2440-82-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2440-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3028-40-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-32-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-75-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/3028-74-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-73-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-72-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-36-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-70-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-69-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-68-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-67-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-66-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-65-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-64-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-38-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-62-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-61-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-59-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-58-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-57-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-56-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-55-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-54-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-53-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-52-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-51-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-50-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-49-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-48-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-47-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-46-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-45-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-44-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-43-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-42-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-41-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-77-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-39-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3028-63-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-76-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3028-71-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-35-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-34-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-33-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-37-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-31-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-30-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-29-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-28-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-27-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-26-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-25-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-24-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-23-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-22-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-21-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-20-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-19-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-18-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-17-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-16-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-15-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-14-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-13-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-12-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-11-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-10-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-9-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-8-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-7-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-6-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-5-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-4-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-3-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3028-2-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3028-85-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download