52ef2cc581349be35a6da7d189ef5be2ef3a3b0001e9f9fb4907ed1e14c8a61b

Analysis

max time kernel
99s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 17:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe
Size

252KB
MD5

29073c9542f8343896d56a3c0089461f
SHA1

23f1d33690838e4942f745e7adf08cad0faf0796
SHA256

52ef2cc581349be35a6da7d189ef5be2ef3a3b0001e9f9fb4907ed1e14c8a61b
SHA512

3f8441c8841681494076b047167fea46ee6e776c818df9b5cc531c5cbc043396bb92337adcdd1757d750e0f04f9d2f464590f657cfe490e7c90b9d92e96cd072
SSDEEP

6144:VlzknoBcRzrWsJywvP6bQ7yMP+DE827OaFSEpAr:nAnZRzJT6b7MP+Dd2iafpAr

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\ram32xp.dll	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe
File created	C:\Windows\inf\ram65xp.dll	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	AcroRd32.exe
2776	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2236	3044	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2236	3044	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2236	3044	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2236	3044	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2236	3044	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2236	3044	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe	29
PID 3044 wrote to memory of 2236	3044	29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe	29
PID 2732 wrote to memory of 2776	2732	explorer.exe	31
PID 2732 wrote to memory of 2776	2732	explorer.exe	31
PID 2732 wrote to memory of 2776	2732	explorer.exe	31
PID 2732 wrote to memory of 2776	2732	explorer.exe	31

C:\Users\Admin\AppData\Local\Temp\29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29073c9542f8343896d56a3c0089461f_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe "c:\FINAL_TBF2.pdf"
  2⤵
  PID:2236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\FINAL_TBF2.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c966ee07a3a9cf6ce64b51e669fe74c2

SHA1
8fadaded94333363eb637e3beaf49076955ac637

SHA256
71d655f47b949a302211ed31038e19cfcd9d2f391d290b32cf2ba80f5725f417

SHA512
9857c54d3322ec99702295224c16b536ce462297c45955612e0ff8275167a7c374fe8d70b31be7fcedb0e4dd56c2e9857a1c64890b7eb904d793133a620b65c9

Download Submit
memory/3044-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3044-2-0x0000000000459000-0x000000000045A000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000000230000-0x00000000002AA000-memory.dmp

Filesize
488KB

Download
memory/3044-6-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3044-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3044-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3044-7-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads