a987fcfbb02e4ead8d6d3b6c99b9f1e8170d535e183ddd9300e937afdf9544b1

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Size

681KB
MD5

5d78b8c6d041b87bf22540c3b3523b39
SHA1

b58cb35fbe40ef9258d45e108dc9e717232d5cc0
SHA256

a987fcfbb02e4ead8d6d3b6c99b9f1e8170d535e183ddd9300e937afdf9544b1
SHA512

6b479c541774109c7a2a5396297e01cf80679efb18a65a1d4f5271ab720d03945a9b5cc5b1d919fb6522945e278c54c50d73f64e9442b8e8c9a61145c8c5d84a
SSDEEP

12288:CG0ObNwOHlcmCNxY+Y1GJfRyl84190bHkzUwQ6b7MP+Dd2E9Akr:CyFcmYY1GJJyBcH0U67MP+h22D

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0\win32	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\Version\ = "1.0"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\HELPDIR	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\HELPDIR\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\ProgID\ = "AppIdPolicyEngineApi.AppIdPolicyHandler.1"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\Programmable	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\ = "Microsoft Shell Controls And Automation"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0\win32\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\shell32.dll"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0\win64	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\FLAGS\ = "0"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\InprocServer32\ = "C:\\Windows\\SysWOW64\\AppIdPolicyEngineApi.dll"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\Version\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\Version	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\ProgID\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\ProgID	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\VersionIndependentProgID\ = "AppIdPolicyEngineApi.AppIdPolicyHandler"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\InprocServer32\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0\win64\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\shell32.dll"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\FLAGS	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\TypeLib\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\InprocServer32	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\Programmable\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\TypeLib	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\TypeLib\ = "{BAD1C309-005D-6950-D6DC-795EC63CEEBC}"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAD1C309-005D-6950-D6DC-795EC63CEEBC}\1.0\FLAGS\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\VersionIndependentProgID	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\VersionIndependentProgID\	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E85779-A01B-4B05-D681-26B58EA016B5}\ = "Vozana.Saneh.Pisezem"	5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d78b8c6d041b87bf22540c3b3523b39_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-1-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/2692-0-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2692-3-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2692-2-0x00000000003E0000-0x00000000003E4000-memory.dmp

Filesize
16KB

Download
memory/2692-9-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2692-8-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2692-7-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2692-6-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2692-5-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2692-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2692-12-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2692-11-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2692-13-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2692-14-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads