4ef285a790c4c3dd3625215bba8a2d94a83abe5df1300ccf34377c0259feea7b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 11:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe
Size

2.1MB
MD5

2c1cc3c797775b2c0fa60c518b8f707d
SHA1

5624a27349dc57f98c8df86fc9db978aef215d93
SHA256

4ef285a790c4c3dd3625215bba8a2d94a83abe5df1300ccf34377c0259feea7b
SHA512

a9342041bf27a8951dc9fd00cac97b6abefd89efebca3480d1c0a5d48bc2baf9dd1c8afb5976d0b187f3fbd9fd91d9050895815224b4f39c3c1fb5decb0f43e7
SSDEEP

49152:SJatr4B55TU6dPW5dgMOc3g3sM1EDB2TsbtLR0JwQaorjhRz:Scrc5RPWIM1gcMIgAtl8wQvz

Score

7^/10

bootkit persistence

Malware Config

Signatures

Unexpected DNS network traffic destination 15 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	114.114.114.114
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.6.6.6
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3172	1900	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1900	2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe
1900	2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1900	2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe
1900	2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c1cc3c797775b2c0fa60c518b8f707d_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 556
  2⤵
  - Program crash
  PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1900 -ip 1900
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-0-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-1-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-3-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-2-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-4-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-5-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-6-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-7-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-8-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-9-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-10-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-11-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-12-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-13-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-14-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-15-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-16-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1900-17-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download