Overview

overview

8

Static

static

7

a331fd7d20...18.exe

windows7-x64

7

a331fd7d20...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a331fd7d202c0df59a0735b298ea9b7c_JaffaCakes118.exe

  • Size

    865KB

  • MD5

    a331fd7d202c0df59a0735b298ea9b7c

  • SHA1

    875ced5f797e953bea92d85a54d32c6c786b4e17

  • SHA256

    b2706be3ab7de22ee52e714d6c2af886e951e3319b42be89459f214a52c8fc4e

  • SHA512

    9c152583df079f9115ae4cec7d6afcf2499f9b83f2b56a08e6b3c4fc6d685e7915abfc62bd0d8ec4dbc44da3e2a159ab25845deeea8ec61bba3df36e43a1895e

  • SSDEEP

    24576:ZhlJ8SuyU5SwjyKfRgInNe/8helpJllhmnq9k:LlJfur5ScNeUheFl7mqm

Score
8/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a331fd7d202c0df59a0735b298ea9b7c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a331fd7d202c0df59a0735b298ea9b7c_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4800
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:5036
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:5076
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:4620
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1384
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
    1⤵
      PID:2832
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2228
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4348
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2952
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
      Filesize

      471B

      MD5

      35806869a623cb114ee1e5c18ea9165d

      SHA1

      8849119c983952fdd5f83dfed53a0300d246e088

      SHA256

      08c2e7f9ec1aebab2ef91a2d4f5f23bd331395e776097467764e534d56573c7e

      SHA512

      4b6d7eca3254902037f17ff69f6c3bc15b8a4cac9cc392fcc1ea71d3026c6b4de90975843a6ad9d46af1088b8a11d939de38a11199181e54759c8eeff7053957

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
      Filesize

      420B

      MD5

      97737a9975420c595c16255dd8bbd970

      SHA1

      4278cd26cd6a9d49e063652d7e7ba5f44f273a67

      SHA256

      e911d28eb3fe9466abb8b1cffeac08ef30adaea56c7b4dbb3e3bd830bb129ec8

      SHA512

      b3fbf471f8d1bb4f1bc5b30952dcb3f8ded55dbc4afe441bf3ac015c75336ae2e32b7acbc7f6ed02a38835a37a63024059ecefbda1a874545c622d78d60a16df

      Download Submit

    • C:\Users\Admin\AppData\Local\IconCache.db
      Filesize

      18KB

      MD5

      b4fd5d8f44df1f5a0655589eeb087efe

      SHA1

      7cdfd8247b9de143343749ca33049e0ff2d1d123

      SHA256

      8a7e9b0d7ae1000628ca7bdf1c2b022ab4c200a5ca7e716a9d250f3b18bfc5d8

      SHA512

      c5bd5e8a1add3841e858f553e3a8a01da49d999ccd41888ddf5e898224793285d4f8bed55a92bf832b7093fc16f33a9ac2e045ef108a632fd818608545763f86

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
      Filesize

      1022B

      MD5

      d6cac25943e88c04e35f7356bc1e6954

      SHA1

      12029f76adba7b0b32c3e8f83500bf47bed8188f

      SHA256

      b67693ac73c1316b16680a6916cc420c80d89d592e65d3c49ce8f5bf142f5e88

      SHA512

      694c7ccee17e082cc513c4ffd9835877a416c83698e0493a01d5f325601e2f8a282260f3842ecdf3bd96c2a1a2810d197607be4fb55548b918345a722e80b4b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{86055A0B-7AD5-4106-A727-7EB001CDFFCE}.png
      Filesize

      6KB

      MD5

      099ba37f81c044f6b2609537fdb7d872

      SHA1

      470ef859afbce52c017874d77c1695b7b0f9cb87

      SHA256

      8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

      SHA512

      837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

      Download Submit

    • memory/2440-39-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4800-10-0x00000000028E0000-0x00000000028F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4800-1-0x00000000028E0000-0x00000000028F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4800-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-9-0x00000000028E0000-0x00000000028F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4800-15-0x00000000009EB000-0x00000000009EC000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4800-77-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-20-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-21-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-7-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-6-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-5-0x00000000009EB000-0x00000000009EC000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4800-3-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-8-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-2-0x00000000028E0000-0x00000000028F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4800-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-64-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-69-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-70-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-71-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4800-76-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5036-17-0x0000000004920000-0x0000000004921000-memory.dmp

      Filesize

      4KB

      Download