ef20fd970e9e8895144be974d47278ada59734018aa3c65ac4b6b93667c563ac

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
Size

154KB
MD5

ce798e2c324b5bf04070f1be67e47b0b
SHA1

80923bc8855fd451e55d671c0aff74a70b89445d
SHA256

ef20fd970e9e8895144be974d47278ada59734018aa3c65ac4b6b93667c563ac
SHA512

a2b0c7102643149e120ed464db29ca60c4ba39f7719e79194dc3ae1acadaabb740ec638be108d3805a605ab78d2c6c786df44c065f36ab8d6b0ebd3211d6be67
SSDEEP

3072:nqQyrDQ/3dGPKHa8FopthQh4v8wzCKZcVFJc6ZRpTyCCae9:q38GPK6YoptPteKZcXKayfak

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	203.236.122.152
Destination IP	211.10.204.5
Destination IP	193.42.228.9
Destination IP	203.60.187.100
Destination IP	128.171.3.13
Destination IP	203.156.229.251
Destination IP	193.42.228.9
Destination IP	203.169.108.214
Destination IP	217.174.99.70
Destination IP	203.69.0.242
Destination IP	61.78.36.30
Destination IP	217.174.99.70
Destination IP	203.57.72.155
Destination IP	203.96.110.106
Destination IP	143.246.0.33
Destination IP	217.75.120.120
Destination IP	203.230.132.58
Destination IP	203.147.110.181
Destination IP	203.61.11.178
Destination IP	203.134.204.145
Destination IP	203.230.132.58
Destination IP	203.211.30.18
Destination IP	216.195.0.38
Destination IP	212.77.102.200
Destination IP	217.174.99.70
Destination IP	203.178.177.32
Destination IP	203.243.187.21
Destination IP	203.227.235.194
Destination IP	203.11.215.63
Destination IP	198.209.72.101
Destination IP	203.196.79.121
Destination IP	203.69.0.242
Destination IP	203.189.176.154
Destination IP	217.174.99.70
Destination IP	203.205.46.189
Destination IP	203.227.235.194
Destination IP	203.181.82.162
Destination IP	193.42.228.9
Destination IP	203.90.75.36
Destination IP	203.234.246.124
Destination IP	217.174.99.70
Destination IP	80.237.244.50
Destination IP	203.54.2.45
Destination IP	199.224.0.154
Destination IP	198.209.72.102
Destination IP	203.66.176.149
Destination IP	203.153.122.12
Destination IP	203.192.158.21
Destination IP	216.195.0.38
Destination IP	217.174.99.70
Destination IP	128.171.3.13
Destination IP	203.156.229.251
Destination IP	203.66.176.149
Destination IP	203.54.2.45
Destination IP	203.20.187.202
Destination IP	212.77.102.200
Destination IP	61.78.36.30
Destination IP	203.44.99.126
Destination IP	217.75.120.120
Destination IP	203.182.144.127
Destination IP	203.90.75.36
Destination IP	88.212.192.1
Destination IP	216.195.0.38
Destination IP	128.171.3.13

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
2720	ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce798e2c324b5bf04070f1be67e47b0b_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2720-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2720-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-2-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2720-3-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-4-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-23-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-24-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-25-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-26-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-27-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-28-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-29-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-30-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-31-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-32-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-33-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-34-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2720-35-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads