0564b03a4408684ed07531e812f101c038c9b7ae88af73cee770016b3f24fa16

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
Size

2.7MB
MD5

94430acbcd0940e55e008538ee013f50
SHA1

950642815aaee997ac697e8933aff48c053c5a97
SHA256

0564b03a4408684ed07531e812f101c038c9b7ae88af73cee770016b3f24fa16
SHA512

69f394b60b33d75d6a6e4a107745729a703d5e226cd2376d494340172cffd360b8050d916cb56fb95655fff861c9ae09a3f6b23a03526db9eae0c8b2eeac7200
SSDEEP

49152:lNeGT86DAlfDMpO4OHEPFrwUIFWdoa+CybDS/LX3OM6ft71toyet0sykFqc////L:frTjY9P0FrTNdh+PbDS/LXgt71toyetl

Score

7^/10

aspackv2 bootkit discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a0000000233f6-4.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1048	dailypim.exe

Loads dropped DLL 38 IoCs

pid	Process
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DailyPim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dailypim.exe"	dailypim.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dailypim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dailypim.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\MenuExt\DailyPim: ±£´æµ±Ç°Á´½Ó	dailypim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\DailyPim: ±£´æµ±Ç°Á´½Ó\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DailyPimHtmlLink.htm"	dailypim.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\DailyPim: ±£´æµ±Ç°Á´½Ó\contexts = "34"	dailypim.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\MenuExt\DailyPim: ±£´æµ±Ç°ÍøÒ³	dailypim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\DailyPim: ±£´æµ±Ç°ÍøÒ³\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DailyPimHtml.htm"	dailypim.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\0\win32	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\ = "IMHT"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PIM.MHT\Clsid	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\ = "PIM Library"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\FLAGS	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dailypim.exe"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\LocalServer32	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PIM.MHT\ = "MHT Object"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\ProgID	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\TypeLib\ = "{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\ = "MHT Object"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dailypim.exe"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PIM.MHT\Clsid\ = "{C2F5C838-959E-4ED7-B74B-1732145E6269}"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\TypeLib\ = "{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\HELPDIR	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\ProxyStubClsid32	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\TypeLib\ = "{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\TypeLib\Version = "1.0"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\ = "IMHT"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\FLAGS\ = "0"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PIM.MHT	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\Version\ = "1.0"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D305EE07-0FC1-45DB-BD0D-8F6B3F9EC407}\1.0\0	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\ProxyStubClsid32	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\TypeLib	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\TypeLib	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\TypeLib	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{459A3722-D10A-4AA8-9ED4-7CD8E141B862}\TypeLib\Version = "1.0"	dailypim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\ProgID\ = "PIM.MHT"	dailypim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2F5C838-959E-4ED7-B74B-1732145E6269}\Version	dailypim.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe
1048	dailypim.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1048	3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe	84
PID 3516 wrote to memory of 1048	3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe	84
PID 3516 wrote to memory of 1048	3516	94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94430acbcd0940e55e008538ee013f50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\dailypim.exe
  C:\Users\Admin\AppData\Local\Temp\dailypim.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dailypim.exe

Filesize
2.6MB

MD5
6b0d9aaf72a2c4c78f6bd35e4c5f587a

SHA1
811ca81a093d2bfaa0101746571452ce01b94b28

SHA256
003650d0314bcf4c73fe2cca5b9cd45b77ee4ad3f613a8316ef6db7cb20536d0

SHA512
96f4ec3fe44f3665cc68e6c012cb6c0683b82cdbfea1fdb7e53c91871d2335863139f98e1ad57c91a3762a39ef9030593cfbf14516db08e2dff38b56038f158d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8E56.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8E56.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pim.ini

Filesize
1KB

MD5
e7560f142d35d2d6eb77e3ab3848703c

SHA1
d8485dc5ec1d333e3b089544b7ac38c9eea6e5c3

SHA256
d80948e4776c50060b67c342750ca5294d076760bc4f594afb0de0fa31dabbf7

SHA512
b58ce2d0443321b7900ca49d97da13209fb612261c866d6af1b799baf9edea25d77fcffe8e525aab216d4b62d8c0e5793230e5f178f162ee05b85193a44803d8

Download Submit
memory/1048-21-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1048-244-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/1048-246-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1048-251-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/1048-255-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads