Overview

overview

8

Static

static

3

258fc2d52f...18.exe

windows7-x64

7

258fc2d52f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 10:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    258fc2d52fc2c10f8888a48519424689_JaffaCakes118.exe

  • Size

    823KB

  • MD5

    258fc2d52fc2c10f8888a48519424689

  • SHA1

    3897d349e0ed457453d378020de3b485f998ef62

  • SHA256

    413a00baf2ea0a1a2230485b55bdd5a3c12cee9e4132a75900cc76aad48c4cfa

  • SHA512

    101af0baad945d5c476fbea06ee2aaa08e8bc318ef7f978dfcf03a0ce3e2288a8cdec66dfeb344c6efc88050ada2af237ec3ade8be3183b15d81d3074ffc59bf

  • SSDEEP

    12288:Tjb9Pmy0MkbJEibv8A3pogsbpz8TGjmSvx+K3IUoZBK4N9TMPU/w3Y5W8:cTRb0+iRbhYGjmMee4N9Ic/4

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\258fc2d52fc2c10f8888a48519424689_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\258fc2d52fc2c10f8888a48519424689_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\ProgramData\privacy.exe
      C:\ProgramData\privacy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4692
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4636
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3016
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:752
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3876
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3908
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2732
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:380
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3556
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:2820
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:4516
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1708
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:916

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\privacy.exe
              Filesize

              807KB

              MD5

              7fb9205d26f5aabb1cbbfa0120c29518

              SHA1

              dde6b9de347bd056a508e190149f35e5ad20cabc

              SHA256

              a3f7507f8eafa96000334b8cd29f26adfd8e9e212c481c9a0cb25df08d434bf6

              SHA512

              51808af1bd1eae3d8eaf0ad43afd7b8244d0f001ae29b431ca13dc4acf6a21a8d48d094bd513239085f51f0833f2b747b786ddf679f4f57aa74028188c144ad8

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
              Filesize

              471B

              MD5

              0894160f2995d6fa79e680cb5838f46d

              SHA1

              73dd4befe3415378eb9a81fd3d25dcfbc38b5538

              SHA256

              b357d5b4d66c1b85bfec43b5f415eabe93a82f9221f105938fb69ac2c544c78f

              SHA512

              5044bdcf67470b87f7fdee5466102c960011172360fade265973aab2cebc04af34146232e6b174153f7a58b22c445fc9a79f597e92bec554e7dfe6b571683f41

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
              Filesize

              420B

              MD5

              cfe76f956c0e246c51114b490329114b

              SHA1

              9ac942d304748086348a340a8efedecd9f5d43f4

              SHA256

              43c71eb4da2e55b41200b150ec62b84a66d82590b23542181fe65025ef49e53f

              SHA512

              1f58d5a700d355dda12c7c2cfd27a206b39bc772850dcce86aed9a9cfb81f2a8e4a21904915e0ed31edfc4599d1768abde61a0176392bf0b7ddc5a844e723474

              Download Submit

            • C:\Users\Admin\AppData\Local\IconCache.db
              Filesize

              15KB

              MD5

              3139e082629f6093bfffbcf8ad586cb0

              SHA1

              2421f3bc429e8710a24d7bfa06c9713cb1abb7bc

              SHA256

              c6dbc6bd541c9e692cdb91a53c0d24ee305fd148544e0a30b6c97d928472a677

              SHA512

              c3691f673512809f8dc2c23015410eddc2b6f3a234791f667efb3fef61875424699daafa388e6c2d14b051c071dd7da328390ca3ba849f390b83bcd71707e07d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
              Filesize

              1022B

              MD5

              fbeb339bd3272d0ceeb1cb8798e3db19

              SHA1

              aa6c18c1d35e442098a98388c0fcd45850dbbc5f

              SHA256

              e3232b57e691a72d406d6774f56af8e5aea1921745efc460362ef7edc4a62998

              SHA512

              cc6eaaabfb3526d360c5807ef0ee0fb85f4b72f7d81805fccd57879afc4d2d792a458eb8f93f6674271fbe25a05b2e2c1046cdb14078cbb2109a1f9a533f1189

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133645615629247605.txt
              Filesize

              75KB

              MD5

              ec861d1b31e9e99a4a6548f1e0b504e1

              SHA1

              8bf1243597aba54793caf29c5e6c258507f15652

              SHA256

              9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da

              SHA512

              30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\{9EBBE27E-FD30-416E-956F-5BF8AF5536E3}.png
              Filesize

              6KB

              MD5

              099ba37f81c044f6b2609537fdb7d872

              SHA1

              470ef859afbce52c017874d77c1695b7b0f9cb87

              SHA256

              8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

              SHA512

              837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

              Download Submit

            • C:\Users\Public\Desktop\Privacy Protection.lnk
              Filesize

              672B

              MD5

              da229629b91353fb3806e21821d915ef

              SHA1

              4d3c43485e0b6be3ea47b062c5dae31e1781b88b

              SHA256

              f4e98a66cfaf353087d3959763347c3cd363c96c378b9704237c6c259e158967

              SHA512

              5c6848892c28c9ff2e6d8b3f7a90ef314c1f3e6ae32ac10e42fedfc9b617a6d64c05df974a0091f5aa2adb2c2145f42c6b7718ec2bb8b65bb83e513e44db6c22

              Download Submit

            • memory/752-34-0x0000000003360000-0x0000000003361000-memory.dmp

              Filesize

              4KB

              Download

            • memory/916-54-0x000002B005600000-0x000002B005700000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/916-90-0x000002B006A20000-0x000002B006A40000-memory.dmp

              Filesize

              128KB

              Download

            • memory/916-72-0x000002B006410000-0x000002B006430000-memory.dmp

              Filesize

              128KB

              Download

            • memory/916-59-0x000002B006450000-0x000002B006470000-memory.dmp

              Filesize

              128KB

              Download

            • memory/916-55-0x000002B005600000-0x000002B005700000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2732-43-0x0000000002A20000-0x0000000002A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3556-52-0x0000000003E00000-0x0000000003E01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3716-2-0x0000000000630000-0x0000000000730000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/3716-27-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/3716-1-0x0000000000400000-0x00000000004F9000-memory.dmp

              Filesize

              996KB

              Download

            • memory/3716-7-0x0000000000404000-0x0000000000405000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4692-218-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-229-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-45-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-17-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-18-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-20-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-19-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-225-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-227-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-226-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-228-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-15-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-236-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-237-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-238-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-239-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-244-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-245-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-246-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-249-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-250-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-251-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4692-252-0x0000000000400000-0x0000000000A27000-memory.dmp

              Filesize

              6.2MB

              Download