Overview

overview

6

Static

static

3

3fc964ef6b...18.exe

windows7-x64

6

3fc964ef6b...18.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fc964ef6b0795b8dafe13383d3fafcb_JaffaCakes118.exe

  • Size

    250KB

  • MD5

    3fc964ef6b0795b8dafe13383d3fafcb

  • SHA1

    deb6b06589f3c97f40a6eee427169ff03ce669cf

  • SHA256

    2788e5b0cf8f9f237f89da73349231ab8fd6f260f5eacf0501f70067a379404f

  • SHA512

    8ba2793d3025ec7793ee5aa11590712685b466336d54ca41b58865ca535cd653318d0fd1e4757920009c15f55a9e87a7f7c6a49018fb4ff7edc32621d3ee8281

  • SSDEEP

    6144:j7y+Qfb56BBMl5yyw5CpA/7sJ5pwvP6bQ7yMP+DE827KJq:/yf6aw5krJ5i6b7MP+Dd27

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fc964ef6b0795b8dafe13383d3fafcb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3fc964ef6b0795b8dafe13383d3fafcb_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe "c:\FINAL_TBF2.pdf"
      2⤵
        PID:2892
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\FINAL_TBF2.pdf"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
      Filesize

      3KB

      MD5

      f43bb53ad6a3b7caa25cab37ef188f08

      SHA1

      c359188aff5baf9edb13216bac4ae5185398dd9e

      SHA256

      a0f282bf30c29c13052ab84e96cc97bb0c1acbcffa8a42203b36ada1d1a49911

      SHA512

      beb68310273d2c69263f6881da5a41516b1cef14a63de2879de5fc41d3f27fd105a90bf2778b834a51b364d32ba2dbee57f0d34aa786be66c60b833c444536bc

      Download Submit

    • memory/1276-0-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1276-1-0x00000000002F0000-0x0000000000369000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1276-3-0x0000000000459000-0x000000000045A000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-5-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1276-4-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1276-2-0x00000000002F0000-0x0000000000369000-memory.dmp

      Filesize

      484KB

      Download

    • memory/1276-8-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download