Overview

overview

7

Static

static

7

18d696cca1...18.exe

windows7-x64

7

18d696cca1...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 04:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18d696cca171bab74a506b22bfa5bb16_JaffaCakes118.exe

  • Size

    852KB

  • MD5

    18d696cca171bab74a506b22bfa5bb16

  • SHA1

    586ef7cd5701a3b523ecc629ad2a64feeeaa2385

  • SHA256

    d42942ec57cde6ed9469595e7a127f6060e34c0229b5b79be1322a98dba23bd5

  • SHA512

    c3a4afc1f38a33e3fbb6e3167a30ae0674ad2e1fd4ca27a90d457db38ff0cd95073b3418fc6b561020cd90a5861b6a93a9f2faca1586c30330e4e86ca1892891

  • SSDEEP

    24576:1ahQbER00iU4SrC2etdgT5UifHnR2tNVlz:1amy0C4v9ngT5xfHRkNzz

Score
7/10
bootkitevasionpersistencetrojanupx

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18d696cca171bab74a506b22bfa5bb16_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18d696cca171bab74a506b22bfa5bb16_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:3068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3068-0-0x0000000000400000-0x0000000000525000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3068-1-0x0000000000400000-0x0000000000525000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3068-2-0x0000000000401000-0x0000000000407000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3068-5-0x0000000000400000-0x0000000000525000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3068-6-0x0000000000400000-0x0000000000525000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3068-7-0x0000000000400000-0x0000000000525000-memory.dmp

          Filesize

          1.1MB

          Download