b65547d07b72348c6ac229b68c8d1589d8f1bb1f5e7b9ece582f63432af03554

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a560af0210323a31168d429d3119c537_JaffaCakes118.dll
Size

212KB
MD5

a560af0210323a31168d429d3119c537
SHA1

6eb2fdb03753ee11062c172d67bc00c3e9df24e7
SHA256

b65547d07b72348c6ac229b68c8d1589d8f1bb1f5e7b9ece582f63432af03554
SHA512

7df6dc8a405ac4b645229200a574b5116635b925dc4c5360d9dc15f2c72cf602775ce7c406bc175498ca8e041a01993a58eae4da05ade37accb41f7801c95197
SSDEEP

6144:syeD+mpa0pGaj2JgT5NuItvS7RGaJ/rgj7WpyN5PElXd:Xeimpa0pzjD9Icvy/67WpyNot

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\-115107-1986	rundll32.exe
File created	C:\Windows\SysWOW64\00c	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4928	1988	rundll32.exe	86
PID 1988 wrote to memory of 4928	1988	rundll32.exe	86
PID 1988 wrote to memory of 4928	1988	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a560af0210323a31168d429d3119c537_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a560af0210323a31168d429d3119c537_JaffaCakes118.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4928-0-0x0000000010000000-0x0000000010111000-memory.dmp

Filesize
1.1MB

Download
memory/4928-1-0x0000000001380000-0x0000000001382000-memory.dmp

Filesize
8KB

Download
memory/4928-5-0x0000000001380000-0x0000000001382000-memory.dmp

Filesize
8KB

Download
memory/4928-4-0x0000000010000000-0x0000000010111000-memory.dmp

Filesize
1.1MB

Download
memory/4928-6-0x0000000010000000-0x0000000010111000-memory.dmp

Filesize
1.1MB

Download
memory/4928-7-0x0000000010000000-0x0000000010111000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads