a45c8a1ccb25bab8174e50a608e4ae0269d07cdf0d3ee85b3bc390c64f9c1e57

Analysis

max time kernel
5s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 00:07

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

36f2c648150ec9f243f7dfe154c19838_JaffaCakes118.exe
Size

412KB
MD5

36f2c648150ec9f243f7dfe154c19838
SHA1

40637461bad0f7cdee3ec4df09ea1ac47acdf1da
SHA256

a45c8a1ccb25bab8174e50a608e4ae0269d07cdf0d3ee85b3bc390c64f9c1e57
SHA512

3eb44abbe36cdcc940856bbf59f0ae958f09a0c125f665ca43e9ec101dc4a606173e7200a589105d499c6b51707619fecac3d2f3f8f90d5e55a8412f8378c5c0
SSDEEP

6144:rL7GZkqqASobrUcIFJm3w7jh1aFqSQPFbqNw7A4b58kItxiU8tbWhVy8sbuV9YkT:rLmv/bXIa3OPaoS4iI30iU8whVy5Gd

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4072	YmfCB5E.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	YmfCB5E.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4072	YmfCB5E.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4072	4652	36f2c648150ec9f243f7dfe154c19838_JaffaCakes118.exe	86
PID 4652 wrote to memory of 4072	4652	36f2c648150ec9f243f7dfe154c19838_JaffaCakes118.exe	86
PID 4652 wrote to memory of 4072	4652	36f2c648150ec9f243f7dfe154c19838_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\36f2c648150ec9f243f7dfe154c19838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36f2c648150ec9f243f7dfe154c19838_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\YmfCB5E.exe
  "C:\Users\Admin\AppData\Local\Temp\YmfCB5E.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YmfCB5E.exe

Filesize
149KB

MD5
c82c8f53966de3162ce0728bada2ea4c

SHA1
0e8ef5e2300028de54d55e92ee0f0f3084eb1c66

SHA256
a8df3238e496f6abd6e73f61fd4f82bf14bf711e118fdac1ae041ba8b9834d72

SHA512
57cb27a9ebeddbaa9b89735ab549e5f1dd6d7fa09da0eb3db2f9a9a5b63069a8d8ab0b2fd77d18692db27b51978ff7f279b69092c474ddbb099ec3618e86306f

Download Submit
memory/4072-4-0x00000000007F0000-0x0000000000812000-memory.dmp

Filesize
136KB

Download
memory/4072-5-0x00000000007F0000-0x0000000000812000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads