Overview

overview

8

Static

static

7

4d60ed02bc...18.exe

windows7-x64

7

4d60ed02bc...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/07/2024, 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d60ed02bc2eae846230ddb132b06327_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    4d60ed02bc2eae846230ddb132b06327

  • SHA1

    ab452058c687a41ff067f21642728c7e3df2fa0f

  • SHA256

    c0fd3a36837f8c65e2fd32a0fa0f62db86307156bc8217208c182da3a75fe834

  • SHA512

    d8c21a915867a3e606e4c9eae7a7d198c380f96ec3e31dbe6999c5164c8afdfc53f575e4ec1299ed855a3a32b27b095ed079c4ac0f8d2d99a82668674e934def

  • SSDEEP

    24576:Aoo0rrnSvC9jcBAVE8s8iEL83KIw+90VuhFDoGZPRb:AoxrrSvChcBARs8iEY3KQ04PbZJ

Score
8/10
bootkitpersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d60ed02bc2eae846230ddb132b06327_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4d60ed02bc2eae846230ddb132b06327_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\ProgramData\defender.exe
      C:\ProgramData\defender.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2828
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4708
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2196
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:1872
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4420
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:5060
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:3680
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:3808
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2068
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
            PID:3412
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Modifies registry class
          PID:4220
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Windows\explorer.exe
            explorer.exe /LOADSAVEDWINDOWS
            2⤵
            • Modifies registry class
            PID:4236
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:3444
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
          1⤵
            PID:2944
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1904

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\defender.exe
            Filesize

            909KB

            MD5

            da61ffabb4ce35a2195f722c995b9423

            SHA1

            b0e5337359b2d17ba29abfa53069eb623728a97e

            SHA256

            504a018bb2d755922f259725491403f3ab3c2318d9269b547ce94d71bebd37da

            SHA512

            694bc84c3f6b584a2b508ed1d3716f92fb6127adc77cc22229dfc877908aef58e90911ef95480bd2013a87358822aa06a9164f4ea890b5e5efbce2f1828817ab

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
            Filesize

            471B

            MD5

            036f8dd28740bb719ce33cd480bf76c9

            SHA1

            147fbed78df5be2074d89059e81cbf45f3b9f6f5

            SHA256

            270780fa61018179d3c98a2d81688296e0f5e8c68b1d3969ce5f3106d2859ac3

            SHA512

            4ba3c48d8d320fba1f37ca3377a0ffacc912b40a4bd802adddabb56a5a635ea070bbbe8ab75e5e55b090afcbd73cd2cc79367bee9c9f1ba4928337122bbf8e70

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
            Filesize

            420B

            MD5

            ca57ce74fab1521e6aa6d4839f120dfb

            SHA1

            fd9d15d62707933153b0e2f044df485e4afcf4f1

            SHA256

            9450e73cce7cb398985f4b4bd38f7b80646e3ddb7dde3e67f2b2d47dae2376af

            SHA512

            a9972321ad590a3213d970c3aefe2cfff4678641c397879b0dd68066a6260ea0a5f731002f809341ec4007440f94bed0cbb515f2930208e69e0ce2ed36af5fa0

            Download Submit

          • C:\Users\Admin\AppData\Local\IconCache.db
            Filesize

            16KB

            MD5

            f08e7229c23c7c92c3f18953022f2dd2

            SHA1

            9d440e84299cd8f182ba82639d047eb79a51d8d6

            SHA256

            a2b7f71fd0402c69c001faabed26312a14c5e8f9b0e8a03841a4f26735231457

            SHA512

            0a8103666c6c8104a84eaf177f92de160e196258edbcf9078468a3273f1384822c5771837a0ad0f61e7bb4538f531b3cd904afd58d34688ca84ec5c8ea4012a1

            Download Submit

          • C:\Users\Admin\AppData\Local\IconCache.db
            Filesize

            19KB

            MD5

            fbbfa2942040774ad4b90cbb2c47a8bf

            SHA1

            2b30f1ef06e6428e451e5303907612a0d56299dc

            SHA256

            5e645fbb580238e4fd44d973415bd4a0fa11856da0ceacec35efa96c3f1f6dcd

            SHA512

            2b7d632e66ffdacb676ee271c1f0a5b871ce8ee3209c2bc968588987b3c8d110caeb260ed088a1167f56df8f2fe13481c3199e731f35fecc716e9229545ee0c3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
            Filesize

            1022B

            MD5

            3dd25b226c18fc5fc2f75298dbfeab52

            SHA1

            0f565f9ee0d7f91bc20d000dc8aa649c3f915989

            SHA256

            a2ab8c49f070882e31eb23d7eb46a3fd0c2f101987ad0a7420b7790977ead048

            SHA512

            30699ce0991c115bbed0ca935300fee8e35166cef9c689f3827c382e180dd2a06b876187f932ff016d4c6bbc0f98bfe7c68ae1a032994946d11f7fa0e92be3a9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{F3C88671-D565-4A71-A576-6213924E16DB}.png
            Filesize

            6KB

            MD5

            099ba37f81c044f6b2609537fdb7d872

            SHA1

            470ef859afbce52c017874d77c1695b7b0f9cb87

            SHA256

            8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

            SHA512

            837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

            Download Submit

          • C:\Users\Public\Desktop\Malware Protection.lnk
            Filesize

            679B

            MD5

            473fa9a70d5be90c5e54136fac621af7

            SHA1

            3c495fc2730931c3fc5b385a73658b931f5dc83a

            SHA256

            8c19f12ed46edfe2a257fcca13fc9394178abcc213b929b33b2153e544f76cfb

            SHA512

            c44abf9dae758b9b88d556d4435fb268ac71dcc99a2710af78d93220ffbc060f13bf306b692aec75b34cefb40b4d9b0dfc8db09b76070032962c6e27bc6ac128

            Download Submit

          • memory/1028-8-0x0000000000404000-0x0000000000405000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1028-3-0x0000000000400000-0x0000000000718000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/1028-2-0x0000000000830000-0x0000000000930000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1028-0-0x0000000000400000-0x0000000000718000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/1028-24-0x0000000000400000-0x0000000000718000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2828-22-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-58-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-21-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-20-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-18-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-38-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-90-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-17-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-89-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-15-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-55-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-56-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-57-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-88-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-65-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-66-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-67-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-74-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-75-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-76-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-77-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-82-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-83-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-84-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2828-87-0x0000000000400000-0x0000000000A30000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/3444-47-0x00000000042C0000-0x00000000042C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4708-30-0x0000000004A20000-0x0000000004A21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5060-39-0x0000000004270000-0x0000000004271000-memory.dmp

            Filesize

            4KB

            Download