1ec8bd97e4760290d4e847931d73e6d234932ea6d724ee9bcd90480ab07fa385

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c65b8afa3b253adfc766eeeafee65e7_JaffaCakes118.exe
Size

238KB
MD5

4c65b8afa3b253adfc766eeeafee65e7
SHA1

55b32ae8357603ab9530dd871d78878e77d2d538
SHA256

1ec8bd97e4760290d4e847931d73e6d234932ea6d724ee9bcd90480ab07fa385
SHA512

c7a58f04f1c69e85d69215121c7c28103135a826983470a1ee5065e77b8ef2b83f8d40e43948197507accf62c84aee1d7c219da6cc22e272350a2852103d9c06
SSDEEP

6144:PsehzRFy5jQdPe801Cv4E4Ely57K8UhcAW:PrJo8ZvH4E054hnW

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3724	Hirens.BootCD.9.5.exe

Loads dropped DLL 2 IoCs

pid	Process
3724	Hirens.BootCD.9.5.exe
4056	rundll32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3724-8-0x0000000000400000-0x0000000000411981-memory.dmp	upx
behavioral2/memory/3724-9-0x0000000000400000-0x0000000000411981-memory.dmp	upx
behavioral2/memory/3724-12-0x0000000000400000-0x0000000000411981-memory.dmp	upx
behavioral2/memory/3724-18-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3724-19-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3724-20-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/3724-26-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4056-41-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4056-38-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral2/memory/4056-45-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c65b8afa3b253adfc766eeeafee65e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\nnnoMGWo.dll,#1"	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nnnoMGWo.dll	Hirens.BootCD.9.5.exe
File opened for modification	C:\Windows\SysWOW64\nnnoMGWo.dll	Hirens.BootCD.9.5.exe
File opened for modification	C:\Windows\SysWOW64\mlJBSkkK.dll	Hirens.BootCD.9.5.exe
File created	C:\Windows\SysWOW64\mlJBSkkK.dll	Hirens.BootCD.9.5.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDDD878F-152A-4D2C-BBF8-453303F11C70}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDDD878F-152A-4D2C-BBF8-453303F11C70}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDDD878F-152A-4D2C-BBF8-453303F11C70}\InprocServer32\ = "C:\\Windows\\SysWow64\\nnnoMGWo.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDDD878F-152A-4D2C-BBF8-453303F11C70}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3724	Hirens.BootCD.9.5.exe
3724	Hirens.BootCD.9.5.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe
4056	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3724	Hirens.BootCD.9.5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3724	Hirens.BootCD.9.5.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 3724	1512	4c65b8afa3b253adfc766eeeafee65e7_JaffaCakes118.exe	84
PID 1512 wrote to memory of 3724	1512	4c65b8afa3b253adfc766eeeafee65e7_JaffaCakes118.exe	84
PID 1512 wrote to memory of 3724	1512	4c65b8afa3b253adfc766eeeafee65e7_JaffaCakes118.exe	84
PID 3724 wrote to memory of 612	3724	Hirens.BootCD.9.5.exe	5
PID 3724 wrote to memory of 4056	3724	Hirens.BootCD.9.5.exe	89
PID 3724 wrote to memory of 4056	3724	Hirens.BootCD.9.5.exe	89
PID 3724 wrote to memory of 4056	3724	Hirens.BootCD.9.5.exe	89
PID 3724 wrote to memory of 2288	3724	Hirens.BootCD.9.5.exe	90
PID 3724 wrote to memory of 2288	3724	Hirens.BootCD.9.5.exe	90
PID 3724 wrote to memory of 2288	3724	Hirens.BootCD.9.5.exe	90

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\4c65b8afa3b253adfc766eeeafee65e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c65b8afa3b253adfc766eeeafee65e7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hirens.BootCD.9.5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hirens.BootCD.9.5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\nnnoMGWo.dll,a
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hirens.BootCD.9.5.exe"
    3⤵
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hirens.BootCD.9.5.exe

Filesize
61KB

MD5
9f001820b30940c601daf3a56020eced

SHA1
1c8b69ff9469589bcf399e57496b995286228329

SHA256
e90e009230a539da68555d95d05cd1baa844a03b2bce6fd7f862e749cf6e6639

SHA512
eda0cd3148548fca7f6e7858d76aba4622eaf105f4c4c545887d6152515d36cc54d97df3ac591f87c99e4d0193ab1426937ac20a6767996675f6f3e49aa47b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uharcd.exe

Filesize
121KB

MD5
09e87474bf274e1071d2214ebedab43c

SHA1
9abe5930e7956ae20b9abef291a9870af7de0dff

SHA256
46c728b70a483eb8f3d7a7fedfa307571f78f7cfd13452ddf7e0b518ef3e5a02

SHA512
03aa5235f67ce8152b8080ef2b13d2e48cb107512b3aed13d68627adfed475b0f0afb59778f4ee2c30e228897e86c7ff21cd1cd62e870d482c5c4192ae12e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\removalfile.bat

Filesize
43B

MD5
9a7ef09167a6f4433681b94351509043

SHA1
259b1375ed8e84943ca1d42646bb416325c89e12

SHA256
d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

SHA512
96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

Download Submit
C:\Windows\SysWOW64\mlJBSkkK.dll

Filesize
38KB

MD5
8b2bb548b32cc71f618d02978e33159b

SHA1
9e6e61582590f086d33c65c60203cefc193eb451

SHA256
93b318fa18ff1ec832ec94a220e2c7a357a9cf1e3309e661eeacdd094779abd6

SHA512
09af192c1482635d335b0ac91928d7a66e04706b5276645be1ea0687c00e38e6b3d0344b08ef86d85d088323ed42431f674b204904f15a324a145a23b9da5fbe

Download Submit
memory/3724-20-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3724-7-0x0000000000400000-0x0000000000411981-memory.dmp

Filesize
70KB

Download
memory/3724-12-0x0000000000400000-0x0000000000411981-memory.dmp

Filesize
70KB

Download
memory/3724-10-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/3724-18-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3724-19-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3724-9-0x0000000000400000-0x0000000000411981-memory.dmp

Filesize
70KB

Download
memory/3724-26-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3724-11-0x0000000000407000-0x0000000000411000-memory.dmp

Filesize
40KB

Download
memory/3724-8-0x0000000000400000-0x0000000000411981-memory.dmp

Filesize
70KB

Download
memory/4056-41-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4056-38-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4056-39-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/4056-40-0x000000001000E000-0x0000000010013000-memory.dmp

Filesize
20KB

Download
memory/4056-45-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4056-46-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/4056-48-0x000000001000E000-0x0000000010013000-memory.dmp

Filesize
20KB

Download