c0b6cd59fd32d3626be02c93369b4a4bf4a19832238bfca81daa4dfef8f030ae

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59ecb2e569f4b96c3e3d0ac0734d5f58_JaffaCakes118.dll
Size

374KB
MD5

59ecb2e569f4b96c3e3d0ac0734d5f58
SHA1

01a238d8b675675156906033bac75f27d9997ff3
SHA256

c0b6cd59fd32d3626be02c93369b4a4bf4a19832238bfca81daa4dfef8f030ae
SHA512

2e0423bf3aff811a911032f0435ddd4347b48a88e896ec24650c83e891ac93f60fe7879994374715a3946ba63dc8e52b42d022613ec72cd7f279059047b6f104
SSDEEP

6144:o9dQbRcTidYMqLtidovpslAQLeMjAeBwntlQGcmXJnImJE8+DYTLQF98gWNlPTG3:2QbyTaFkCcps/LeMElnXWmpIb8+ULNt+

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1592	1584	regsvr32.exe	30
PID 1584 wrote to memory of 1592	1584	regsvr32.exe	30
PID 1584 wrote to memory of 1592	1584	regsvr32.exe	30
PID 1584 wrote to memory of 1592	1584	regsvr32.exe	30
PID 1584 wrote to memory of 1592	1584	regsvr32.exe	30
PID 1584 wrote to memory of 1592	1584	regsvr32.exe	30
PID 1584 wrote to memory of 1592	1584	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\59ecb2e569f4b96c3e3d0ac0734d5f58_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\59ecb2e569f4b96c3e3d0ac0734d5f58_JaffaCakes118.dll
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1592-1-0x00000000001D0000-0x0000000000213000-memory.dmp

Filesize
268KB

Download
memory/1592-0-0x0000000002290000-0x000000000234D000-memory.dmp

Filesize
756KB

Download
memory/1592-2-0x0000000002290000-0x000000000234D000-memory.dmp

Filesize
756KB

Download
memory/1592-3-0x00000000001D0000-0x0000000000213000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads