Overview

overview

8

Static

static

3

64d22cd45a...18.exe

windows7-x64

8

64d22cd45a...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64d22cd45ad2ad2769b638bce0dc9b32_JaffaCakes118.exe

  • Size

    528KB

  • MD5

    64d22cd45ad2ad2769b638bce0dc9b32

  • SHA1

    15a4412a0ff25685271affac97fabaede8bf44e3

  • SHA256

    9d24d509108aaeac24ced22ff671e6378a5b84eac3920831377c1a4a5c60c5f1

  • SHA512

    75ea481a4eaee9d3e779f9f4c925f65c470661a6c2c93728a570b23930674508f365bdcc447042d438b43f2f6a0aa6d23280b74ce1a381026c04308563411f70

  • SSDEEP

    12288:jPsH9Cr3fo7upvtAYoRBPNo/CiHfc3BZU0vHeLCbqHdq8qPuqVFX:jPLr3Q74toRBYCCkjU0fmHdgum

Score
8/10
adwarebootkitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 53 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64d22cd45ad2ad2769b638bce0dc9b32_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\64d22cd45ad2ad2769b638bce0dc9b32_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
      2⤵
        PID:2752
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
        2⤵
          PID:2836
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
          2⤵
            PID:2624
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
            2⤵
              PID:2676
            • C:\Windows\SysWOW64\regsvr32.exe
              C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
              2⤵
              • Loads dropped DLL
              • Installs/modifies Browser Helper Object
              • Modifies registry class
              PID:748
            • C:\Windows\SysWOW64\36bd.exe
              C:\Windows\system32/36bd.exe -i
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2652
            • C:\Windows\SysWOW64\36bd.exe
              C:\Windows\system32/36bd.exe -s
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2348
            • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
              C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of SetWindowsHookEx
              PID:2564
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
              2⤵
              • Loads dropped DLL
              PID:2032
          • C:\Windows\SysWOW64\36bd.exe
            C:\Windows\SysWOW64\36bd.exe
            1⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2464
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
              2⤵
              • Loads dropped DLL
              • Writes to the Master Boot Record (MBR)
              • Drops file in System32 directory
              PID:2104

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
            Filesize

            115KB

            MD5

            cbe8d9327071ebd627a41367bd649964

            SHA1

            8a185061b767fe1a45f83c8e056b2b963da816cf

            SHA256

            7fd47308f059705c8cecb00d6ac473795fcbecd04c849084744d8473cbbe9849

            SHA512

            69142d0f4aecfd15a7b9e1b78505ca6aa076790f31e914426e287aa35c48d502c003e2f2762a829dc33d6fa40bc61afee18445f591227c28b2ef15b7d3f59580

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
            Filesize

            72KB

            MD5

            1858978af51266632c483ba738911b4f

            SHA1

            69c66bc78efeb1fe4ec562c8bdfbbc6e54434fd8

            SHA256

            4b85da0bbbdbf411548a43bd6a319c203e438daa87d21c5c9034ee6e65ac0d22

            SHA512

            3a3152dbd0d06dd97af4164b75acdf6f30aafb9016a5aeebb9da42c99868cb91d3a013dabd406cfe035b63b2da713f040fcbbe3a49d5e91a557b2b2f5b91e34a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
            Filesize

            386KB

            MD5

            889d5db2ee1dce0cd2923b2f98fcffab

            SHA1

            40cfb113d6d86bd9798c56f76b8e5ebc2f58f1aa

            SHA256

            5a5b4ad40b7f946041efde0b277ea98a0a786616e810b6a45b301a9c1ca3de2f

            SHA512

            2e64716e0e8f275d6f731c29bd6d9214893f473098dccbff4439dbb98680b413463bed273ac88016985827ad5948857813856133af957a65bb58e31728e9003b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
            Filesize

            224KB

            MD5

            5a8888018336c7e49f11c7c45c93209f

            SHA1

            c5b4b31bc15a0da31ad0c27485d90e0f067b2c54

            SHA256

            dc26a111427fc4dbb2ceb1d1dea4a08d8397f2f34a6b79e296230a4089572928

            SHA512

            c827f7891c178a8a320606313b3922875fc7660b7b40f17fa2fbaef995c1da55cec26b7c7e53f383f579e91222d460cd88311a5386560b3c789025050b9e1adf

            Download Submit

          • C:\Windows\Temp\tmp.exe
            Filesize

            152KB

            MD5

            b662c70b2ba04b2f6ceda31211ec2e4e

            SHA1

            74893abbfda55b387d9f832e828b5c741709484d

            SHA256

            41c63cc3b377c73d24c4c483af66e832ed8be398bcb81ecd31cc85eedb6de643

            SHA512

            2c02c47952463cb9730096483a8eb85c6abfb64d1d93ebb1847a56e96eb88f708c356094dcc03f122dd8a32e9b840d2a1dddc5b25c6faf153e144f803719a818

            Download Submit

          • memory/748-60-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-146-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-153-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-180-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-178-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-136-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-138-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-141-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-143-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-177-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-148-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-150-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-86-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-159-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-162-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-164-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-166-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-168-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-170-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2464-175-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3024-0-0x0000000000400000-0x0000000000480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/3024-134-0x0000000000400000-0x0000000000480000-memory.dmp

            Filesize

            512KB

            Download

          • memory/3024-1-0x0000000000320000-0x00000000003A0000-memory.dmp

            Filesize

            512KB

            Download