Overview

overview

8

Static

static

7

8ba4b1d75c...18.exe

windows7-x64

8

8ba4b1d75c...18.exe

windows10-2004-x64

8

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$R0.dll

windows7-x64

3

$R0.dll

windows10-2004-x64

3

$TEMP/$1.dll

windows7-x64

8

$TEMP/$1.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ba4b1d75c3fd8dcd3d8f95283675e84_JaffaCakes118.exe

  • Size

    5.4MB

  • MD5

    8ba4b1d75c3fd8dcd3d8f95283675e84

  • SHA1

    2576788173ece6b39cf255796a4502845377f905

  • SHA256

    1fa0f5148aadeb31d6696e3eb6e8ecd1641bd7d65aa495f5ac9481dec25ea73f

  • SHA512

    08f5066e34baac17c83781ebd26db39c36d98aa0a9cb96e6128e738555003cb358f45daadb96df56b33552330a52f7c20d812627517bd8b4524797c117b6be07

  • SSDEEP

    98304:XNqCKhGd8xqyNNh5A6blKgawoBIuE9oO0e5sq+pZWixsTG0IXNg4talUC4Zpo575:XNhKhG2xRxAYfoGuAoVq+bWiTH64taGM

Score
8/10
bootkitdiscoveryevasionpersistenceupx

Malware Config

Signatures

  • Blocks application from running via registry modification 1 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Drops file in Drivers directory 7 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 12 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ba4b1d75c3fd8dcd3d8f95283675e84_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba4b1d75c3fd8dcd3d8f95283675e84_JaffaCakes118.exe"
    1⤵
    • Blocks application from running via registry modification
    • Drops file in Drivers directory
    • Server Software Component: Terminal Services DLL
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
    1⤵
      PID:2352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\489448.dll
      Filesize

      157KB

      MD5

      7114ff150097ff2cc8efded870d506f2

      SHA1

      761fdd81baf339984f4c057c68c81d84397dfb81

      SHA256

      ae6330789fc8d90cc9d4e4a452fa2f0a50f43ee64ae62eb842b01532258bea6d

      SHA512

      c073edb2662f1d01ddfb8678ed8cd1e16533e18c8d75a99bc4523e055e535f319deb9215dbd7c54122b0c790857d246e14d22daa2654d7f2da89c4f68c2f2f2d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AntiRk.dll
      Filesize

      72KB

      MD5

      b11dda9d4bb8bb2292d7721d4199ce09

      SHA1

      3f79d6e1efd6efe406776d0ca4a44a851b950a0e

      SHA256

      4f8fa717cfb94e8aa725dd38c19fe5b1af686e2f495feb98987a36f1ae6a410b

      SHA512

      3a56fb60e223dd39bdec0c993309fa5b5fc0b204a0af4b6a9ede2d4db4b3f9940c27eba9ae732350032f11ee76659acaed50aae116db388cac28a4e40bb4b136

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NewAdvapi32.dll
      Filesize

      478KB

      MD5

      e99416267b61f52fa5ab994019efd359

      SHA1

      86d31eae707db7fe51d2556394fcf0e8e9f6b0fd

      SHA256

      768c286674371564b5e6095edb56e0a4231f341be895da69cfccca5160029774

      SHA512

      0a1c7579a9c787c2c1bef35f0660e72e74b42824e14ebea63b87ed25ddaf107e3746567bb431cab41a2f6719fad2c22d96e0715a1fe085d75805d7d66f7f05ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fixfinal2.dll
      Filesize

      41KB

      MD5

      558b1cda41269415d5749bb2b8d7826d

      SHA1

      9bdd9f6161320f9beec1b7f9d28c968feeaf1d4e

      SHA256

      a5ccbb2e5872196895b283da8f73d480c6d6fc7403aa0836cc7a0be2013c1cf5

      SHA512

      bed3422f2a8a1f374cbc64c64efda9e4e485d00373b036a4f0427782f18cb98b54660a5cf6671847b253fc4628bdab821f4094dd544388b395d0c85c727e0116

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu4478.tmp\InstallOptions.dll
      Filesize

      14KB

      MD5

      32aa6334fc543e70ef0f792bb9a0c45a

      SHA1

      54be1f5004f7e5afe7c9ba160495076ea2a4d60c

      SHA256

      610e54bcfc2831d4f9d7030ceb16d35ee33006403d842f01b6e75bebea0083e2

      SHA512

      ac92116821a032de8df64bf9aea9c6ba4040467eebaa4e028c2bf031f1c81bb69531288b9d89d951b952fe0b4ecccade874a5ae76d04db8b4dee2d13c486f9ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu4478.tmp\System.dll
      Filesize

      10KB

      MD5

      7d85b1f619a3023cc693a88f040826d2

      SHA1

      09f5d32f8143e7e0d9270430708db1b9fc8871a8

      SHA256

      dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

      SHA512

      5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu4478.tmp\ioSpecial.ini
      Filesize

      597B

      MD5

      7c04d524af74e2425fd0da324c799029

      SHA1

      7c208a037ddd3df20bfb3cbb39b620a5bbfb1534

      SHA256

      b1e31bc74aecef40d6d44de89b6fb268c59742a92a8b71204df7ea19d91525a1

      SHA512

      c0fd48a05649e0443c0faf294c067b036e05653220bac9847cc515756b637c5f0d33bc3c40273ce45f7d5c0d99aeeb1fab7da7b921ba71af234286c55493d5c9

      Download Submit

    • C:\Windows\SysWOW64\drivers\0e584987.sys
      Filesize

      12KB

      MD5

      21edc1472e3a426a3bc5d9ba1a59f54f

      SHA1

      3b1ee4f21d2b49c0d28a661696c1267896be0d8d

      SHA256

      01bef2212fa01b5dc030723560b8c77b114b8982767a961674730635f5aa9b84

      SHA512

      323a48a3a5dcc9c775e19c8dce6c3550ace77ae388af1e2f1072ad3dfecb2aa34c87ad2418720b903a70b6bf9ee220452a3ae3ac2aad3c4913c00122f10f109e

      Download Submit

    • memory/2052-39-0x0000000004760000-0x0000000004774000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2052-33-0x0000000004400000-0x0000000004426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2052-51-0x0000000003010000-0x0000000003079000-memory.dmp

      Filesize

      420KB

      Download

    • memory/2052-52-0x0000000004400000-0x0000000004426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2052-53-0x0000000003010000-0x0000000003079000-memory.dmp

      Filesize

      420KB

      Download

    • memory/2052-34-0x0000000004400000-0x0000000004426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2052-19-0x0000000003010000-0x0000000003079000-memory.dmp

      Filesize

      420KB

      Download