Overview

overview

8

Static

static

7

81f65d2b17...18.exe

windows7-x64

7

81f65d2b17...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81f65d2b179a0811f3d70f91323e8d33_JaffaCakes118.exe

  • Size

    933KB

  • MD5

    81f65d2b179a0811f3d70f91323e8d33

  • SHA1

    452c58efa74f02a48fa933b742e2a6b5518d099c

  • SHA256

    d13d73e111ab838dd2ff845c8ee19467baeab19c0eed98c418ede729be1385bb

  • SHA512

    8b86cfb7e86c6f33e6fe8c5ce644349b8e9cfc6aa97dba12eb0d468eb057861987dfd8ed39a2199c03dd152db926a5a91299facdf836ce349e104a8ada86c6c0

  • SSDEEP

    24576:yc7i4YmiuQr6JZbt/VesAUDWIsE0ONr9kSBhEwbjkvkj:ycW4YmiP61NeC6IsEbkSBhEwEs

Score
8/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81f65d2b179a0811f3d70f91323e8d33_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\81f65d2b179a0811f3d70f91323e8d33_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\ProgramData\defender.exe
      C:\ProgramData\defender.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3172
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4980
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1712
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1100
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:844
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:1692
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:2328
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:484
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:464
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:4100
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SendNotifyMessage
          PID:4700
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:5088

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\defender.exe
        Filesize

        852KB

        MD5

        a00438249cb56dc0445e49e5603f6cf2

        SHA1

        e56e5ff5e42ba861b50682ddac6462541b4571b0

        SHA256

        52d827471d58876682e6cfde41481083eef3a6c2ba353938e4b9d5413a577cc0

        SHA512

        c3af31b15df5539428a8eb0e427ac3206bdbba8cb339ecb5ce531c4def7b94f0dc4a70614b48c6446db36f4d79c188c3d260ac2e78cb0e9611a7ee1d10af3004

        Download Submit

      • C:\Users\Admin\AppData\Local\IconCache.db
        Filesize

        16KB

        MD5

        c46d83b72875cb9742fb9ce089421801

        SHA1

        ce62df6bc0f799c7c1d3501959a6e3bf66888c42

        SHA256

        ebb430462f0af33ab056aa7945d92f086c51e4eb8cb51c76d2f3958ada8c23d5

        SHA512

        98278a0d47f395ec13dbabe3ade151923d716c82f03f4119cf21d71845f6b3d14bb3d9bf755c96759a9e24cf20133888e36142debe62302653823468abc608bc

        Download Submit

      • C:\Users\Admin\AppData\Local\IconCache.db
        Filesize

        18KB

        MD5

        b4bf0ddd72f85b469c38031c9cc82200

        SHA1

        4028f0fa9cd53ad2b53792ee93a5237887976860

        SHA256

        938e4cd38616188bcdb5e3a3243dc5a2ae0384fb3e0bd4a9a203a72e85db1ba9

        SHA512

        7b8a6c00bc1e665264db92906ac42605c4afec23be25d8748f8fd84625639c9e4c64cb2f1ce5a0cdbc9cd9a2c2edfa7e10fd6baa643e259c1ea49ea765115894

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
        Filesize

        1016B

        MD5

        3851350d2bedc0cb29d20ca1c4142e52

        SHA1

        a0adf611f5ebf969d3f762612f5f16ff429e0078

        SHA256

        dd005892ca53fd24f696145d103e501a53dbb15be856634b9e4884145d73d100

        SHA512

        35e175365cb37970f2e63fa009145867a27a87d8ee0a546076d12f60d977897c8074fc859ef12490e732ef7b0551910f7837085d79b4c1cf1b03525e8b1165e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{E9BA3C22-9CB3-4FA4-A150-319A9D490790}.png
        Filesize

        6KB

        MD5

        099ba37f81c044f6b2609537fdb7d872

        SHA1

        470ef859afbce52c017874d77c1695b7b0f9cb87

        SHA256

        8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

        SHA512

        837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

        Download Submit

      • C:\Users\Public\Desktop\Malware Protection.lnk
        Filesize

        679B

        MD5

        770481505a10c13dec1e8e37b27489b3

        SHA1

        e6faf9f28d6148c70a8e20f6bf98f9ff293b50df

        SHA256

        3baa62d1793448298f40f87901c2b56434408c5d67d282479395b99b00b5c4f4

        SHA512

        96ff787c0b893b56361a1f19955531ff6273a8e989c3fe91076d6f8b8e6788087d9177cf6efaab5c7118c380cf99d196df37b9ff5c0f631b80109c874eef2d9d

        Download Submit

      • memory/464-34-0x0000000004E80000-0x0000000004E81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1100-25-0x0000000004A70000-0x0000000004A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1112-20-0x0000000000400000-0x00000000006DF000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1112-7-0x0000000000404000-0x0000000000405000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1112-0-0x0000000000400000-0x00000000006DF000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1112-1-0x00000000008A0000-0x00000000008B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1112-2-0x0000000000400000-0x00000000006DF000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/3172-54-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-66-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-14-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-17-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-36-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-18-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-79-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-46-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-22-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-53-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-21-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-55-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-56-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-63-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-64-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-65-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-15-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-71-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-72-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-73-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-76-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-77-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3172-78-0x0000000000400000-0x0000000000A21000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5088-44-0x0000000004690000-0x0000000004691000-memory.dmp

        Filesize

        4KB

        Download