Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
18/08/2024, 05:16
General
-
Target
a5873a61d08b07cd270a691f412d961a_JaffaCakes118.exe
-
Size
119KB
-
MD5
a5873a61d08b07cd270a691f412d961a
-
SHA1
4f9b1f81dbab348b0a0d8affae4d7bae9cc7ca32
-
SHA256
97ee0eacc76ef32143fbf4f5d34aaa945bd9fd7343a15ce6e55f4de6f58d3403
-
SHA512
2d73b0f6609de116f2714b6c886096e5af289ab5bd9f40db0e2250024edbb0cf55107d36c4f5f6cb7c79ec19bc19d1d539800b8accffa631e50f412e848edd3a
-
SSDEEP
3072:Xv+Exfaz5SbRKCg3AGyxlNEj+VwlM4U+xRe:f+rI0CJGyxleyweN+x
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5873a61d08b07cd270a691f412d961a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5873a61d08b07cd270a691f412d961a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSec.exeC:\Users\Admin\AppData\Roaming\WinSec.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5273614dbf7294cd746974f604a78aefa
SHA1c61e27192406b38d3c3e8ff88307b5c16020426b
SHA25607178bee5af3c931ea0b5321376decdabb2df495b365ca63b75557789a433f50
SHA5124e6f79e8ef0dc23ebed7bc34c1607ed03eff1cf6eef49ab7f578cf9c449f3dee1c1902f39e74267d42f8cdca0dd900c779a686b9effdaecd1155710f08297b8a
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB