1194e609e8c9288627e556b94b288fdc9e90f2c7e40b276c27b8b2e78dcfca1d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe
Size

744KB
MD5

41af168c10c339e494259c096d8cb51c
SHA1

8a1b51072d218e3a1b224f803b66ac14cd12b283
SHA256

1194e609e8c9288627e556b94b288fdc9e90f2c7e40b276c27b8b2e78dcfca1d
SHA512

838a96db9f68c3d80f290322ff7885d519a013c90a5f76be6560875c23215a11917634170028a69da52b80a5fd7d115fdbaf01878dbd9a836bae8ad94322583a
SSDEEP

12288:slx/IoKmPHa/ItjA3LS5MH8ByqFpy2anwWhYuQ2gjn8tWojb7igL5DnznyB:slxmPIt83G5McMqfu32uQ2BWkPEB

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	windows.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	windows.exe
File opened for modification	\??\PhysicalDrive0	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\windows.exe	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe
File opened for modification	C:\Windows\windows.exe	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	2776	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe
Token: SeDebugPrivilege	2776	windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2776	windows.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2580	2776	windows.exe	31
PID 2776 wrote to memory of 2580	2776	windows.exe	31
PID 2776 wrote to memory of 2580	2776	windows.exe	31
PID 2776 wrote to memory of 2580	2776	windows.exe	31
PID 2312 wrote to memory of 2604	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2604	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2604	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2604	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2604	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2604	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2604	2312	41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe	32
PID 2776 wrote to memory of 2124	2776	windows.exe	34
PID 2776 wrote to memory of 2124	2776	windows.exe	34
PID 2776 wrote to memory of 2124	2776	windows.exe	34
PID 2776 wrote to memory of 2124	2776	windows.exe	34

C:\Users\Admin\AppData\Local\Temp\41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41af168c10c339e494259c096d8cb51c_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2604

C:\Windows\windows.exe
C:\Windows\windows.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 392
  2⤵
  - Program crash
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
218B

MD5
3b8f60c1106d1c7ea1b707baec6cbae0

SHA1
45ca2c157be7052f3c114a5b62b2582a2bf22465

SHA256
267eac1eb63295f4725c04d1b8430ea317559fff78520d26072ba33be598e320

SHA512
9df5eb099ba6090c7e74489637aec1c415d902a64aec485dae66383748712934c437b7fb0072aaeb9fa612866b241968a4e3e63c3e1e8ea3c1e38c4cf8bca268

Download Submit
C:\Windows\windows.exe

Filesize
744KB

MD5
41af168c10c339e494259c096d8cb51c

SHA1
8a1b51072d218e3a1b224f803b66ac14cd12b283

SHA256
1194e609e8c9288627e556b94b288fdc9e90f2c7e40b276c27b8b2e78dcfca1d

SHA512
838a96db9f68c3d80f290322ff7885d519a013c90a5f76be6560875c23215a11917634170028a69da52b80a5fd7d115fdbaf01878dbd9a836bae8ad94322583a

Download Submit
memory/2312-12-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2312-47-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2312-8-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2312-6-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2312-5-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2312-4-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2312-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2312-10-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2312-9-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2312-11-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2312-2-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2312-15-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2312-7-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2312-13-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2312-16-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2312-20-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2312-19-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2312-1-0x0000000000540000-0x000000000057A000-memory.dmp

Filesize
232KB

Download
memory/2312-46-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2312-31-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2312-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2312-14-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2312-33-0x0000000000540000-0x000000000057A000-memory.dmp

Filesize
232KB

Download
memory/2312-48-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2312-49-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2776-35-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2776-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2776-29-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2776-28-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2776-27-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2776-26-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2776-25-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2776-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2776-23-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2776-36-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/2776-37-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2776-38-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2776-34-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2776-32-0x00000000003A0000-0x00000000003DA000-memory.dmp

Filesize
232KB

Download
memory/2776-51-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2776-54-0x00000000003A0000-0x00000000003DA000-memory.dmp

Filesize
232KB

Download
memory/2776-53-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads