Overview

overview

8

Static

static

3

84d95639d5...18.exe

windows7-x64

7

84d95639d5...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84d95639d5f0ad7688b174d61d2141f8_JaffaCakes118.exe

  • Size

    853KB

  • MD5

    84d95639d5f0ad7688b174d61d2141f8

  • SHA1

    bb10aca47bc9ac88d8d480c22a03c69def49f618

  • SHA256

    bcf4c7e7208f113154adddc40b7452ecbc0115c8c36b4bd55b1b5739004db516

  • SHA512

    4725c717cf9f4cdadbeb951e59822504ef1ed0e500924310bb2bb8411a0eca03d3c684325b111712526aaa086a4d81d6662b04c3fb38d36fef5d0b296c6896f8

  • SSDEEP

    24576:+XV9oSBLcU+ELf+KrePShkPvoJnShUs3:wBLDnrFhg2Zc

Score
8/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\84d95639d5f0ad7688b174d61d2141f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\84d95639d5f0ad7688b174d61d2141f8_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4764
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4692
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1636
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1888
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4924
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2516
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3736
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2300
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    471B

    MD5

    21e0d572257ada4ab14416d6fe564195

    SHA1

    031bba08701767a5c7ecb2db402e87f6a8c24b95

    SHA256

    fd6145a13947d549a3834d42b0be89884a6c7a75908b22be49f7d6d8b0fec9d2

    SHA512

    ce2a59fc254b644b696db4f9e8dd5a56149a9a5fb39e124d4f7eeae09527ce498e432e4547264ee97fdd92f7e7c3e3349d9817f226d9a67a5932f6f905293f90

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    420B

    MD5

    6527f62c074a762a2f6392ae03f72c3a

    SHA1

    c0e86d5c267655d5406b12bd93ec5ead98f9c731

    SHA256

    4add8c1ff52c813a298b382dc84b9e24becb2161ecdc0bec5065b9654981b9b1

    SHA512

    29d8be8551775bb16a9e914f0210c7e35c64254fc64891882e52c4abdff9ffcd23e9f561aaafd3d1b7a4443547e814a1e97f28cea2039b1557cebd9d8d1f8dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
    Filesize

    1022B

    MD5

    d6cac25943e88c04e35f7356bc1e6954

    SHA1

    12029f76adba7b0b32c3e8f83500bf47bed8188f

    SHA256

    b67693ac73c1316b16680a6916cc420c80d89d592e65d3c49ce8f5bf142f5e88

    SHA512

    694c7ccee17e082cc513c4ffd9835877a416c83698e0493a01d5f325601e2f8a282260f3842ecdf3bd96c2a1a2810d197607be4fb55548b918345a722e80b4b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{67D88DCC-4335-4B0A-8FC6-1BBFDBF5055A}.png
    Filesize

    6KB

    MD5

    099ba37f81c044f6b2609537fdb7d872

    SHA1

    470ef859afbce52c017874d77c1695b7b0f9cb87

    SHA256

    8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

    SHA512

    837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

    Download Submit

  • memory/1888-11-0x0000000004640000-0x0000000004641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4496-29-0x0000000004F80000-0x0000000004F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-34-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-1-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-4-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-18-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-3-0x00000000009EB000-0x00000000009EC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-31-0x0000000002830000-0x000000000283A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4764-33-0x00000000009EB000-0x00000000009EC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-32-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-0-0x0000000002830000-0x000000000283A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4764-41-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-42-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-5-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-49-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-50-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-51-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-52-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-57-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-58-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-59-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-62-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-63-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-64-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-65-0x0000000000400000-0x0000000000A28000-memory.dmp

    Filesize

    6.2MB

    Download