Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
18/08/2024, 05:16
General
-
Target
a5873a61d08b07cd270a691f412d961a_JaffaCakes118.exe
-
Size
119KB
-
MD5
a5873a61d08b07cd270a691f412d961a
-
SHA1
4f9b1f81dbab348b0a0d8affae4d7bae9cc7ca32
-
SHA256
97ee0eacc76ef32143fbf4f5d34aaa945bd9fd7343a15ce6e55f4de6f58d3403
-
SHA512
2d73b0f6609de116f2714b6c886096e5af289ab5bd9f40db0e2250024edbb0cf55107d36c4f5f6cb7c79ec19bc19d1d539800b8accffa631e50f412e848edd3a
-
SSDEEP
3072:Xv+Exfaz5SbRKCg3AGyxlNEj+VwlM4U+xRe:f+rI0CJGyxleyweN+x
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5873a61d08b07cd270a691f412d961a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5873a61d08b07cd270a691f412d961a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSec.exeC:\Users\Admin\AppData\Roaming\WinSec.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
69KB
MD5273614dbf7294cd746974f604a78aefa
SHA1c61e27192406b38d3c3e8ff88307b5c16020426b
SHA25607178bee5af3c931ea0b5321376decdabb2df495b365ca63b75557789a433f50
SHA5124e6f79e8ef0dc23ebed7bc34c1607ed03eff1cf6eef49ab7f578cf9c449f3dee1c1902f39e74267d42f8cdca0dd900c779a686b9effdaecd1155710f08297b8a
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
4KB