2945e6656a3346d7f52cc27302fe726cf29524a9909cb098382bf902dbfccc5f

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Size

134KB
MD5

2736bea8a744a3a2b09ca5879d2b7a44
SHA1

ac78582e7a39158237f6eeacd8bbb28efa69d222
SHA256

2945e6656a3346d7f52cc27302fe726cf29524a9909cb098382bf902dbfccc5f
SHA512

916ebb8b83af94a378bf18500451f4c381231841c2035de7c1bd091abbd9765e8b3443bf17cc7c078e2d889200ab5f4eaa93743cb3fcae8652d000582663901f
SSDEEP

3072:Wro6cA46qRP8lS+jBsK1j0Z9deOd0ieFaw5hN:W/yRP8s++xI8MFzF

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 2084 set thread context of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\Locales = "00000409"	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\Locale = "00000409"	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\Locale = "00000409"	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeAuditPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeBackupPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeRestorePrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeSecurityPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeShutdownPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
Token: SeTcbPrivilege	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 1812 wrote to memory of 2084	1812	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	30
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1700	2084	2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\2736bea8a744a3a2b09ca5879d2b7a44_JaffaCakes118.exe
    3⤵
    PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-411-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-414-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-412-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-418-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-420-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-423-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1700-424-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/1700-425-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2084-333-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2084-367-0x00000000003C0000-0x00000000003CB000-memory.dmp

Filesize
44KB

Download
memory/2084-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-74-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-76-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-332-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2084-335-0x00000000003C0000-0x00000000003D5000-memory.dmp

Filesize
84KB

Download
memory/2084-341-0x00000000003C0000-0x00000000003ED000-memory.dmp

Filesize
180KB

Download
memory/2084-340-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2084-339-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2084-338-0x00000000027C0000-0x0000000002889000-memory.dmp

Filesize
804KB

Download
memory/2084-337-0x00000000027C0000-0x0000000002889000-memory.dmp

Filesize
804KB

Download
memory/2084-336-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/2084-334-0x00000000003C0000-0x00000000003D5000-memory.dmp

Filesize
84KB

Download
memory/2084-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-362-0x0000000001C70000-0x0000000001CBD000-memory.dmp

Filesize
308KB

Download
memory/2084-363-0x0000000001C70000-0x0000000001CBD000-memory.dmp

Filesize
308KB

Download
memory/2084-369-0x0000000001C70000-0x0000000001CA1000-memory.dmp

Filesize
196KB

Download
memory/2084-368-0x00000000003C0000-0x00000000003CB000-memory.dmp

Filesize
44KB

Download
memory/2084-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-374-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2084-366-0x0000000001C70000-0x0000000001D16000-memory.dmp

Filesize
664KB

Download
memory/2084-365-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2084-364-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2084-370-0x0000000001C70000-0x0000000001CA1000-memory.dmp

Filesize
196KB

Download
memory/2084-380-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2084-381-0x0000000001C70000-0x0000000001CDB000-memory.dmp

Filesize
428KB

Download
memory/2084-382-0x0000000001C70000-0x0000000001CDB000-memory.dmp

Filesize
428KB

Download
memory/2084-391-0x0000000001C70000-0x0000000001D09000-memory.dmp

Filesize
612KB

Download
memory/2084-394-0x00000000003C0000-0x00000000003CB000-memory.dmp

Filesize
44KB

Download
memory/2084-393-0x00000000003C0000-0x00000000003CB000-memory.dmp

Filesize
44KB

Download
memory/2084-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-62-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-392-0x0000000001C70000-0x0000000001D09000-memory.dmp

Filesize
612KB

Download
memory/2084-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-406-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2084-405-0x0000000001C70000-0x0000000001CE1000-memory.dmp

Filesize
452KB

Download
memory/2084-404-0x0000000001C70000-0x0000000001CE1000-memory.dmp

Filesize
452KB

Download
memory/2084-426-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2084-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download