Overview

overview

7

Static

static

3

4b1ea69770...18.exe

windows7-x64

4b1ea69770...18.exe

windows10-2004-x64

Analysis

  • max time kernel
    3s
  • max time network
    4s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 19:41

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    4b1ea697709b01387c828930fcdae181_JaffaCakes118.exe

  • Size

    51KB

  • MD5

    4b1ea697709b01387c828930fcdae181

  • SHA1

    168b0ab8819d80526ae1639e31c4b2b05be61527

  • SHA256

    4244728855560a89e8a4c10ad3c54d1139a0e70e198466d0f864b6083ebdc8de

  • SHA512

    717dce604f3c771a8c74ccb92e5ec5dc67509817afe7088ceaed7e3cf4b60b1e2e95851fe50bd6a4f4fb527cb094fda409107506242a5b96ec9a561e37ea982a

  • SSDEEP

    768:jC5q5QSw2v39N8/PmJ/6F+9ahzMGOzTMwQ7y/u4Wt7Mx1TK42n8xRTSH7:G5q5Q6Nqi/8hqMw9uxMnKOxRTi7

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b1ea697709b01387c828930fcdae181_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b1ea697709b01387c828930fcdae181_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\4b1ea697709b01387c828930fcdae181_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4b1ea697709b01387c828930fcdae181_JaffaCakes118.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
        C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
          "C:\Users\Admin\AppData\Local\Temp\x2z8.exe"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of AdjustPrivilegeToken
          PID:4856
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3985855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\fpath.txt
          Filesize

          84B

          MD5

          a75132278bb79b16ca77f3b9b80354d1

          SHA1

          7a724a168bb59657a2f478b820c8895d3f49291a

          SHA256

          848682e2e48378f45bd48fe476bafad512aaeca49e5e892aec359395a28964ee

          SHA512

          a36e2fcb961e5251d026e9faaae75e4155f80432a8d5d726444bde01a902336a4a6427de7a099e3f0f7742ab802c351cc712c04110862753abbd8ee79e82a478

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
          Filesize

          51KB

          MD5

          4b1ea697709b01387c828930fcdae181

          SHA1

          168b0ab8819d80526ae1639e31c4b2b05be61527

          SHA256

          4244728855560a89e8a4c10ad3c54d1139a0e70e198466d0f864b6083ebdc8de

          SHA512

          717dce604f3c771a8c74ccb92e5ec5dc67509817afe7088ceaed7e3cf4b60b1e2e95851fe50bd6a4f4fb527cb094fda409107506242a5b96ec9a561e37ea982a

          Download Submit

        • memory/1156-3-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3208-0-0x000000002AA00000-0x000000002AA04000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3208-2-0x000000002AA00000-0x000000002AA04000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3208-4-0x000000002AA00000-0x000000002AA04000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4856-16-0x000000002AA00000-0x000000002AA04000-memory.dmp

          Filesize

          16KB

          Download

        • memory/5020-12-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download