26d0e8ccceb0358465d5cc0cfa0f351e464a17aaa3137a3d333b4f8600e247f3

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe
Size

370KB
MD5

3363b213b3cd64573f1ca3d6912b8162
SHA1

bce4e19f54527a4d74bcc7adcffd541e48703935
SHA256

26d0e8ccceb0358465d5cc0cfa0f351e464a17aaa3137a3d333b4f8600e247f3
SHA512

d2498e6719bf934a2f6d7668bee67cbae66515877d35ff1c75da2cb639edb2ff79f0105e89e7db8ce3518edb43e6ca606da1c1440fbb843b7c88369c34dbf3b1
SSDEEP

6144:b1dlZro5yhwHn4ZCJN0tXkZ1giG6FzTDYIXxu8nMRbSkqUmK54lcDHt1Pmj:b1dlZo5yOn0CJmCiWX8vbD54lkHLPmj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2796	2.exe
1976	2.exe
2684	facbook.exe

Loads dropped DLL 5 IoCs

pid	Process
2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe
2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe
2796	2.exe
2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe
2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 1976	2796	2.exe	31
PID 2796 set thread context of 0	2796	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	2.exe
1976	2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2796	2.exe
2684	facbook.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2796	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2796	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2796	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2796	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	30
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 1976	2796	2.exe	31
PID 2796 wrote to memory of 0	2796	2.exe
PID 2796 wrote to memory of 0	2796	2.exe
PID 2796 wrote to memory of 0	2796	2.exe
PID 2796 wrote to memory of 0	2796	2.exe
PID 2712 wrote to memory of 2684	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2684	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2684	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2684	2712	3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1412	1976	2.exe	21
PID 1976 wrote to memory of 1412	1976	2.exe	21
PID 1976 wrote to memory of 1412	1976	2.exe	21
PID 1976 wrote to memory of 1412	1976	2.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3363b213b3cd64573f1ca3d6912b8162_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Extracted\2.exe
    "C:\Extracted\2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Extracted\2.exe
      "C:\Extracted\2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1976
- - C:\Extracted\facbook.exe
    "C:\Extracted\facbook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\facbook.exe

Filesize
140KB

MD5
a1522ee24466eba458e487f6734133df

SHA1
94aa3c27b3f84d2c26ce63a28887eff30790aafa

SHA256
bd6cb6dc90c2d9b414caba8500cdea3185b26849a6b65bdf5b17bd7449dac0ec

SHA512
0705257bdc3224a01bdeaedcb149636d887d845ba6338488935d5841a8cdd0364082779739962359648401c5c767fae09639914a580d54ba526284ed8b60b563

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
207B

MD5
b204503b9198579f5b7546639c08215a

SHA1
ad2fe1bf742ae53ddb4167ebfd90aedf520878b4

SHA256
96511a3c040ee34a3068000f06fdf8f7481cde83c3538aabceb25a76b602266e

SHA512
7bf27f3e8c54724d80eb94bffa74dcaf06dcd7e185e408687532c670f34892521f9a0c35fe9258e4e0798ad75482448044420c285b3e7dfd904f4a382d57e6f4

Download Submit
\Extracted\2.exe

Filesize
254KB

MD5
2ba8112bdf9631c94a732d68f56e19a7

SHA1
10352286042525e5e9ef17acb1877a786d24072c

SHA256
6d68266f1e01e2cd8bfb9829a189a021bb1be04209736679f8a9dc888b8491ea

SHA512
ed907c3350c556cf8da2f2edf68cd74d34ad6f9c9845c71823d4129d37ad047a6524f09ff332675c7d01f1b8cac98985c2c7e10a4fc4f273d7233394cb813584

Download Submit
memory/1412-83-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1976-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1976-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1976-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2712-26-0x0000000003190000-0x0000000003232000-memory.dmp

Filesize
648KB

Download
memory/2712-25-0x0000000003190000-0x0000000003232000-memory.dmp

Filesize
648KB

Download
memory/2796-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-42-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-32-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-54-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-53-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-50-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-58-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2796-47-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-46-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-45-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-44-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-43-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-57-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2796-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2796-40-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-39-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-38-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-36-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-35-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-34-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-33-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-62-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/2796-59-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2796-29-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2796-30-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2796-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download