Overview

overview

7

Static

static

3

a4367fd080...18.exe

windows7-x64

7

a4367fd080...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4367fd0803208674ccf2663ebfae60a_JaffaCakes118.exe

  • Size

    674KB

  • MD5

    a4367fd0803208674ccf2663ebfae60a

  • SHA1

    92f077d009e4d8ffdf3f05d63de818ce252aefb2

  • SHA256

    5d1394a6898e0e33ec9c566549a2e9f2f8a46b17a320fd399d9bcd9c82d065cd

  • SHA512

    f0c0a512e2e0469a92b180422319854b952a73c04681c07425cd9b454532542c214a1195d0c2bd6301e8027f214507ca05f4321e967ea16d0f594d6eb08c81e9

  • SSDEEP

    12288:kGxaPkDsihoNlb+Fg9to8v+hEXFst9TQqn6v/w5Nf5UQ84VcXkmQW06WpjIy+StE:kYaPkDssoNlwUt5+hL9TVvzGaVpJW0Fy

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4367fd0803208674ccf2663ebfae60a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a4367fd0803208674ccf2663ebfae60a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\V220070411.EPE
    Filesize

    479KB

    MD5

    38332c2fb4f2c767ec9fba9ccc1e56ef

    SHA1

    d554b19be46912b9594169f745e7e3f91b008f97

    SHA256

    200686d518e3a034babe94968bcf2bfd86ec40d0df505a1877501306477522c6

    SHA512

    70362e97136e5861f13da5eacd359e8f4df4c0f61be18a138333fdce428a12c16507a3f97a6491839064d7e746ea5de857051a127c4c10609a726f32bf0a141e

    Download Submit

  • memory/1272-0-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1272-2-0x0000000071120000-0x0000000071261000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1272-4-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1272-3-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1272-7-0x0000000004180000-0x0000000004190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1272-6-0x0000000071120000-0x0000000071261000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1272-9-0x0000000071120000-0x0000000071261000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1272-8-0x0000000000400000-0x000000000050C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1272-10-0x0000000004180000-0x0000000004190000-memory.dmp

    Filesize

    64KB

    Download