Overview

overview

8

Static

static

7

aaa3b6e224...18.exe

windows7-x64

7

aaa3b6e224...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aaa3b6e224b12217592d65a7ffc844a2_JaffaCakes118.exe

  • Size

    949KB

  • MD5

    aaa3b6e224b12217592d65a7ffc844a2

  • SHA1

    4b9c8271249280fe464bcb93ae45217b6fa43405

  • SHA256

    437ffb21e0a393b3c6893183cb21bf35dad048b8bdbfb5f59aa281f6f035b4cf

  • SHA512

    f3e6cde83e98227a92c1be9d347b0f50a777f9eb838ed2e00e92401b66e655733dc429685b2dabf263e420ecbfabe71bfd4c3116fb1e67e5b5533ad0262f4aaa

  • SSDEEP

    12288:Fy30sHmR38KxpRUSTfOSpULxzMg21C62ZNAR8PwP0gxSn2FCCKEWfG0tDNH5Drp2:F20VRtUQHUtzMIveHvW2xK1OyD19pL

Score
8/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\aaa3b6e224b12217592d65a7ffc844a2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aaa3b6e224b12217592d65a7ffc844a2_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\ProgramData\defender.exe
      C:\ProgramData\defender.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4640
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3232
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1716
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:5016
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2612
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2092
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
    1⤵
      PID:3152
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1224
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:4064
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:5092
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies registry class
          PID:3320
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
        1⤵
        • Enumerates connected drives
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3092
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
        1⤵
          PID:8
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
          1⤵
            PID:2856
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Windows\explorer.exe
              explorer.exe /LOADSAVEDWINDOWS
              2⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SendNotifyMessage
              PID:3988
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2200
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3668
            • C:\Windows\explorer.exe
              explorer.exe /LOADSAVEDWINDOWS
              2⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4060

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\defender.exe
            Filesize

            861KB

            MD5

            bd9d8d83cd4f148c57fd26526e9ed54f

            SHA1

            a8189fbf4332f17532326eed1be0a0ca80d39f6b

            SHA256

            77180d997c8c1fb59f459c62b3233ae59d1943eb6c7a2f90aba6213e92da6395

            SHA512

            8a40f4fa13726dedc4534b7e268954db10d5575c8dfb10876acb4b49b8e8e75ff195226c51537aabdfccda061128c98bb278df99455dc90ddcb3a8437789a51c

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
            Filesize

            471B

            MD5

            7fffd2d841532ad35f039a55b6b9958c

            SHA1

            bd92a034d1f9410146c52d145420a6fdc085533d

            SHA256

            719d274ebcde47cac13abbc65fc2063d322593fc2570ede5b38638f58926a538

            SHA512

            20d695a14bb7f4e0799d360a4d75b8f5266063861548c07bd178da28b6d8cffbdaf8c66ad29684ef8083220db6648632efc0c5a64946644d9c3ab7a191c938d4

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
            Filesize

            420B

            MD5

            38960eaf6eb76df7b595b47a19d6b993

            SHA1

            11a3d3666e4698c76ceb07205dcce22e9c83122d

            SHA256

            3f2a3c701fd362195ea4283509db0f0e5327ce1f414dd74a41a505e740dcfc5d

            SHA512

            9cbab61a9ad4086ace558fbb392c93b3bbf5477384b5ec64b29dd04ffee9ac38c486b878a4d485626a2469ed4a6d247121832846173a6b96f307a4ca4d66546d

            Download Submit

          • C:\Users\Admin\AppData\Local\IconCache.db
            Filesize

            18KB

            MD5

            371e5d630deeca7c76b62abb1e643a06

            SHA1

            6003a7ba2dbbbef9ef735c07117b9fcc8eb9ee22

            SHA256

            24461e52cca7e76417fde079163b7a7dce65dd4b266c148a9d7c91c46d3e3ba5

            SHA512

            2e43dd8358026c2cdb20c35ce48c4248b7e7217fd8aeccac3291817b1b986b808966f6dc602d75f1d779c5ef9349ab75e52ae98ff3bb768e2441c517b7a5fe76

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
            Filesize

            1022B

            MD5

            35e907900837f3f57768fd9d8dec5f34

            SHA1

            6986957e5b7cc4a8a1b6a5c57c08113398b2cc59

            SHA256

            eb202c3944c64f781dd13e83bd1eec32d187ed83cb665d8acf65081881dd9dbc

            SHA512

            b2690671632bd5c18797397bcdc5f2b0b4e0ec9d82289659a59e6025749c738d952bcb1998769c7187fbbeced8f30392692077aff0f6efc0db9396696e528292

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{F14BD631-3E0F-42BC-B5C2-CF48D0550D42}.png
            Filesize

            6KB

            MD5

            099ba37f81c044f6b2609537fdb7d872

            SHA1

            470ef859afbce52c017874d77c1695b7b0f9cb87

            SHA256

            8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

            SHA512

            837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

            Download Submit

          • C:\Users\Public\Desktop\Malware Protection.lnk
            Filesize

            679B

            MD5

            478137d1462337e7dfddab88aeb4e337

            SHA1

            7e5345e2df1363dce303ae68e8c3d5ab4186d326

            SHA256

            c81fc4294b515084ea7e1714bfb1a5ca520d30428eef78fd9adce7db7438c621

            SHA512

            b737280cecfdfbd8fde85426665a480050b9dcb81dbde9d5d45e1abe72af1063772cb31e26991f41280de009f73c84f3bc167625ac3d8a96c178554644444319

            Download Submit

          • memory/1708-7-0x0000000000404000-0x0000000000405000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1708-25-0x0000000000400000-0x00000000006EB000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1708-2-0x0000000000400000-0x00000000006EB000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1708-1-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1708-0-0x0000000000400000-0x00000000006EB000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2092-35-0x00000000044B0000-0x00000000044B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3988-46-0x00000000037B0000-0x00000000037B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4060-52-0x0000000003660000-0x0000000003661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4640-36-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-60-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-33-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-32-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-27-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-20-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-19-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-18-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-17-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-15-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-14-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-34-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-67-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-74-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-75-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-76-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-77-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-83-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-84-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-85-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-88-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-89-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-90-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4640-91-0x0000000000400000-0x0000000000A2A000-memory.dmp

            Filesize

            6.2MB

            Download