Overview

overview

7

Static

static

3

17daab6694...18.exe

windows7-x64

7

17daab6694...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17daab6694384c39699c58829556a09d_JaffaCakes118.exe

  • Size

    845KB

  • MD5

    17daab6694384c39699c58829556a09d

  • SHA1

    3fa392919b7eed4a0dd4abcf97f4365a83636084

  • SHA256

    2373ab6263115c4fb480b529e35111c54cd54637e73682cc698850d6bfd103e9

  • SHA512

    2aa171838a3ce58f5fcdf81246176985a34972f0c5ecb498ba10be237c580684453b1c0d25b089ed3352d0b5bfc82caa879c3ba6c7b8cf9c584c982f59b3d28f

  • SSDEEP

    24576:q/1CKg+Qo4LLg+qbS7AXd2TI5SV7wGNnhZ:ThgmBTI5SfN

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 10 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17daab6694384c39699c58829556a09d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17daab6694384c39699c58829556a09d_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 736
        3⤵
        • Program crash
        PID:5104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 792
        3⤵
        • Program crash
        PID:4044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 816
        3⤵
        • Program crash
        PID:4536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1108
        3⤵
        • Program crash
        PID:1464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1116
        3⤵
        • Program crash
        PID:3652
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1128
        3⤵
        • Program crash
        PID:2484
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1192
        3⤵
        • Program crash
        PID:4024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1276
        3⤵
        • Program crash
        PID:2320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1276
        3⤵
        • Program crash
        PID:2076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1292
        3⤵
        • Program crash
        PID:4980
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2980 -ip 2980
      1⤵
        PID:3076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2980 -ip 2980
        1⤵
          PID:1976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2980 -ip 2980
          1⤵
            PID:4972
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2980 -ip 2980
            1⤵
              PID:64
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2980 -ip 2980
              1⤵
                PID:1876
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2980 -ip 2980
                1⤵
                  PID:752
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2980 -ip 2980
                  1⤵
                    PID:3692
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2980 -ip 2980
                    1⤵
                      PID:2312
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2980 -ip 2980
                      1⤵
                        PID:404
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2980 -ip 2980
                        1⤵
                          PID:2924
                        • C:\Windows\system32\sihost.exe
                          sihost.exe
                          1⤵
                          • Suspicious use of FindShellTrayWindow
                          PID:1304
                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                          1⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious use of SetWindowsHookEx
                          PID:1140
                        • C:\Windows\system32\sihost.exe
                          sihost.exe
                          1⤵
                          • Suspicious use of FindShellTrayWindow
                          PID:2380
                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                          1⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious use of SetWindowsHookEx
                          PID:3304
                        • C:\Windows\system32\sihost.exe
                          sihost.exe
                          1⤵
                            PID:236
                          • C:\Windows\system32\sihost.exe
                            sihost.exe
                            1⤵
                              PID:4960
                            • C:\Windows\system32\sihost.exe
                              sihost.exe
                              1⤵
                                PID:3280
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                1⤵
                                  PID:4852
                                  • C:\Windows\explorer.exe
                                    explorer.exe /LOADSAVEDWINDOWS
                                    2⤵
                                      PID:2740

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\isecurity.exe
                                    Filesize

                                    840KB

                                    MD5

                                    c1673b534e78efa45febc5633ea18423

                                    SHA1

                                    c534fb23431dac614095c03a7b037c49e51d8cf1

                                    SHA256

                                    a4110a0f5694141dbdcbbadad53d38f659f9026e84b97f53fc4bf3eab2c601ed

                                    SHA512

                                    572d30784d9967cf14a40d5b94b0c849ce43e9fccbf5ebfa372a4ef308d9ee7d52234f779661b1cc744e68dbb0ece56a56f9d9cf90e409c1fe83ab413025ea1c

                                    Download Submit

                                  • C:\Users\Public\Desktop\Internet Security.lnk
                                    Filesize

                                    682B

                                    MD5

                                    1e081d0648c4ad2af7d6470e34682d97

                                    SHA1

                                    d058ff0568155958312bf2f57ab7e153b5977b11

                                    SHA256

                                    af9bc17d1828fbc41ce57cd1b335325383d02dfb0944a64e87faf64fc88aa81b

                                    SHA512

                                    41b4573da6c076000feabc910b4f75e97f1458ff0fa7162b5af9c4d7bf54006ad16fe54e9ca5026c5c9f342ffd06ddd0737ac7d6c830b918fc75d6a9cd9eeb7f

                                    Download Submit

                                  • memory/2980-19-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-22-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-33-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-14-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-15-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-16-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-31-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-30-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-26-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-27-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-28-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2980-29-0x0000000000400000-0x0000000000A3D000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/4436-7-0x0000000000400000-0x00000000004FE000-memory.dmp

                                    Filesize

                                    1016KB

                                    Download

                                  • memory/4436-1-0x0000000000400000-0x00000000004FE000-memory.dmp

                                    Filesize

                                    1016KB

                                    Download

                                  • memory/4436-0-0x00000000004EC000-0x00000000004EE000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4436-2-0x0000000000400000-0x00000000004FE000-memory.dmp

                                    Filesize

                                    1016KB

                                    Download