Overview

overview

7

Static

static

3

6fcfdd23a3...18.exe

windows7-x64

7

6fcfdd23a3...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fcfdd23a36fdc9595362f330c4dea35_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    6fcfdd23a36fdc9595362f330c4dea35

  • SHA1

    a8b641b389df4dd1f74b8e913b102d4c2f6c9c12

  • SHA256

    d0ac3950fcd379d65ac0e7e5d7ab32262ddf021cd56cbc609c688695990a9c53

  • SHA512

    89ac6753669785010645f09471d8d2d065c5886cbd147c5023b64d1bff25b45d18602d57b9da21883d6ad5a527648431bd5a904b48b33a28683bb01a1236ff70

  • SSDEEP

    49152:jhPG+uycEgxXg5Vf4S5NNtBOMxraJ/ZxozDcDtT:lFuzKHrjOMI3F

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fcfdd23a36fdc9595362f330c4dea35_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fcfdd23a36fdc9595362f330c4dea35_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
    Filesize

    1.0MB

    MD5

    4b30dbe1a79b2b7572ff637cb3765ced

    SHA1

    b08eba0e9bdb62d426db8d2b3d451152a56f79a1

    SHA256

    4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

    SHA512

    40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_N4\xplib.fne
    Filesize

    80KB

    MD5

    2428c64705f8c9201a816edd07237443

    SHA1

    220b3bcffd333fcdf585b129015cb086d762f0af

    SHA256

    6b1651e03dc8fa46ea85f599cadee51944777139a9da9ef4e50fd7a25c7aefcc

    SHA512

    e3830b5a123fc9d0daf7f1885dadd762d63c66af39375c3251eb24021f015b14be33eb7ac339c499a0dca9a8e7263cbb2412bcd9ecdaadd7484360d7e600d787

    Download Submit

  • memory/2408-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2408-14-0x00000000003D0000-0x00000000003E4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2408-16-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download