Overview

overview

10

Static

static

3

65070b7b45...18.exe

windows7-x64

10

65070b7b45...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe

  • Size

    596KB

  • MD5

    65070b7b458c5439b68e5e555a5d8ab5

  • SHA1

    3ea4546031c961d3cf6b9b6a9179d3ddfff8df52

  • SHA256

    e6cb9521bd4e1f2ab53c03bfef1e00b3b0c8ec71b44682c44b79a67b34493446

  • SHA512

    da49c82e086c8f798db90d2b643ad59de67625b1efab57f8f42d9768cdf3e23d2c2160c44526467001baf93445c3d1e058d4f13394f21c44315d026c7950ef26

  • SSDEEP

    12288:97bE3pZIUhMtk2Borsi0cXLd5c8weuKAFV7zoO+DEavGVv:db8MU+MX0cbY8NXAFV7UO+4OGVv

Score
10/10
bootkitevasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 10 IoCs
    evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe"
        3⤵
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4172
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1936
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4476
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\65070b7b458c5439b68e5e555a5d8ab5_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1860
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4568
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:4556
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\FPDFUTH4Z2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FPDFUTH4Z2.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\FPDFUTH4Z2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FPDFUTH4Z2.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/628-15-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/628-5-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/628-2-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/4736-21-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-24-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-17-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-18-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-20-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-8-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-22-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-10-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-26-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-28-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-29-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-30-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4736-33-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download