d678f1ba76680d2428ef998a58bcbfbe57406b96f3bf978570433cdb30e30b63

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe
Size

1.6MB
MD5

18843accc238fc0b7ce7b851ece8a149
SHA1

1671f02900fb2dc1f06005480bee68c419da4501
SHA256

d678f1ba76680d2428ef998a58bcbfbe57406b96f3bf978570433cdb30e30b63
SHA512

a1dd4d0b52c5329c0f221a9bd000182d3f92b6dccacffa3ac3caf2e23403106b8508360f2f98db46793c8c4c0ffa8ca5280b676160db08b3c51653732b4d8668
SSDEEP

49152:31R+OAGKRwtsCds9U68eu8SExZGJbPq89o9m8erX:37+o5sCds268evSExwV9o9mh

Score

7^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00620000000131b0-30.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2208	ssinitar.exe
3004	setup.exe
1612	setup.exe

Loads dropped DLL 9 IoCs

pid	Process
816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe
2668	Rundll32.exe
3004	setup.exe
3004	setup.exe
3004	setup.exe
3004	setup.exe
1612	setup.exe
1612	setup.exe
1612	setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	setup.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1612	setup.exe
1612	setup.exe
1612	setup.exe
1612	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1612	setup.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2208	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	28
PID 816 wrote to memory of 2208	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	28
PID 816 wrote to memory of 2208	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	28
PID 816 wrote to memory of 2208	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	28
PID 816 wrote to memory of 2668	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	29
PID 816 wrote to memory of 2668	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	29
PID 816 wrote to memory of 2668	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	29
PID 816 wrote to memory of 2668	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	29
PID 816 wrote to memory of 2668	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	29
PID 816 wrote to memory of 2668	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	29
PID 816 wrote to memory of 2668	816	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	29
PID 2668 wrote to memory of 2788	2668	Rundll32.exe	30
PID 2668 wrote to memory of 2788	2668	Rundll32.exe	30
PID 2668 wrote to memory of 2788	2668	Rundll32.exe	30
PID 2668 wrote to memory of 2788	2668	Rundll32.exe	30
PID 2628 wrote to memory of 3004	2628	taskeng.exe	33
PID 2628 wrote to memory of 3004	2628	taskeng.exe	33
PID 2628 wrote to memory of 3004	2628	taskeng.exe	33
PID 2628 wrote to memory of 3004	2628	taskeng.exe	33
PID 2628 wrote to memory of 3004	2628	taskeng.exe	33
PID 2628 wrote to memory of 3004	2628	taskeng.exe	33
PID 2628 wrote to memory of 3004	2628	taskeng.exe	33
PID 3004 wrote to memory of 1612	3004	setup.exe	36
PID 3004 wrote to memory of 1612	3004	setup.exe	36
PID 3004 wrote to memory of 1612	3004	setup.exe	36
PID 3004 wrote to memory of 1612	3004	setup.exe	36
PID 3004 wrote to memory of 1612	3004	setup.exe	36
PID 3004 wrote to memory of 1612	3004	setup.exe	36
PID 3004 wrote to memory of 1612	3004	setup.exe	36

C:\Users\Admin\AppData\Local\Temp\18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\qqqtgx\ssinitar.exe
  C:\Users\Admin\AppData\Local\Temp\qqqtgx\ssinitar.exe -pasdfghij -d"C:\Users\Admin\AppData\Local\Temp\qqqtgx\"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe "C:\Users\Admin\AppData\Local\Temp\qqqtgx\notedll.txt",acMainDos C:\Users\Admin\AppData\Local\Temp\18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c .\danulev1.bat
    3⤵
    - Deletes itself
    PID:2788

C:\Windows\system32\taskeng.exe
taskeng.exe {3EE3D2B7-C7A1-4352-A78A-A8871E9A1A8F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\qqqtgx\setup.exe
  C:\Users\Admin\AppData\Local\Temp\qqqtgx\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\qqqtgx\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\qqqtgx\setup.exe" SEC
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\danulev1.bat

Filesize
372B

MD5
c2dc3f38cf4c0a9ff0c2c992a7a7652d

SHA1
afd83e75ef7fde09cf33fc346b4a1e39ed1c5fa5

SHA256
c23e001c556eb4946983a240abfbb64cc4825c77fef9ec96192440f8fda5a27c

SHA512
243036549bc9e5417761156aa8451daf90dd1c7c9438e0ffc99b79ab3940e4a15148b2a6df85a81d73c951b90289819c003fd5e051cf26a99d989728c0398b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqqtgx\notedll.txt

Filesize
517KB

MD5
5a4eef7788d00c35fd72008454670f0d

SHA1
41ffe35f8e8314a93efc00a930a57eeebf6def72

SHA256
cd4454d6e4362b1bb4ef9f6de48c28bfd29d8f963d2bd4b67a4c0e15d2777805

SHA512
00cb224cacbde15ab57b2d4a15c1ab24e348c2276f6b3a6a00ceb197d13da9b60ae643c463b68ffa1aa074933cec0022b684008a12602f97eb2768b08984dbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqqtgx\notedll.txt

Filesize
517KB

MD5
06f2882acabca9fa758d9fd17840e596

SHA1
89bbd6c0c779c031bf0b0b8c39485def336b94fe

SHA256
832bd6dcf1374ac25c890582d45cf3204ba29cd9c9da3f721fcfb8d7d8d330c8

SHA512
5e2b120794703856d1ce510225fdd4a4d6a54f30a27a6e62f8e6b90656c10c2620ad9250f5af7a06479b33d01e3107a75e09cd99b2d1a21db710114e0e0607b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqqtgx\setup.exe

Filesize
550KB

MD5
4e472e003ee3994635ecb967c8581e1b

SHA1
4d9c60640ab8f0df4dd4fb0ecabd1b49818d48e7

SHA256
dfe6bf380fbde2ccfed76143b0e933231a6b72d970ec8949781c994d83ea9894

SHA512
671b8b0087a1aa14574a613f23b8a30a8622e79e701a071d8aeffc0a0b1aa1b60abf51052c17e341f6c958754e1131b2173c21d3a0ff19c50bba94eb0c6509ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqqtgx\setup.txt

Filesize
550KB

MD5
531734e8f228e931663971f7162879fe

SHA1
e049aa2ffdfe9a95d6d7ba49a1e5f553f16a2cf6

SHA256
af1e5c6a29f8b30bed623a644bfe7d7bc6d194db8798f9eb3692877dd4ce3672

SHA512
634354f9feeacd8ba626bf830506dfa7adfbc1e26fc904b54d5f5ff9cc011afed13bd39cc708e5e8bac588ad898480bcb59d8ceeeb91014eefbe5364f13eecae

Download Submit
\Users\Admin\AppData\Local\Temp\qqqtgx\ssinitar.exe

Filesize
1.2MB

MD5
ef8d72a962c1c0b2e7d8858fc1eef73d

SHA1
29c67925d39458abf799a66e689a714558131f73

SHA256
1de80dd1f16cbb2d17d80e2559bf7689dba8883e84de8ce557e02fd71506f9dd

SHA512
12d2fccf6055bf63d0a8eefc469eae45394b0b0da41fdc429c47f318caeaf712515c478e14766ea8e980a95626e1746d546238b2af42019666682a61ff78d8de

Download Submit
memory/816-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/816-29-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1612-41-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/1612-42-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2208-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2668-20-0x0000000000720000-0x00000000007A6000-memory.dmp

Filesize
536KB

Download
memory/3004-40-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download