Overview
overview
7Static
static
3cff85a4900...18.exe
windows7-x64
7cff85a4900...18.exe
windows10-2004-x64
7$PLUGINSDI...md.dll
windows7-x64
3$PLUGINSDI...md.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
37boot.exe
windows7-x64
77boot.exe
windows10-2004-x64
7RIC.exe
windows7-x64
4RIC.exe
windows10-2004-x64
7Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
cff85a4900a440155368609d0e2ab537_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
cff85a4900a440155368609d0e2ab537_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/registry.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/registry.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
7boot.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
7boot.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
RIC.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
RIC.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
7boot.exe
-
Size
264KB
-
MD5
b1e7a0ab4fe9186aece0cd7d0f96f569
-
SHA1
82570041e123b1b078cf8daa6da77450ceee5978
-
SHA256
e42ff63a5e2066de32e0f1121dc3e90b6810fa0af2aee5f760e3486375fbae55
-
SHA512
8806ab4dcacd01d9e13af8b6eb5311dadba7d58413559eceed2d28a44c2ef10729d4d4bb39616099e0bcf2f095ef3abc19a80661363ade009315f548c6ab2ccb
-
SSDEEP
6144:2zG8nriOnW/rGgGcHkf3LrMOdHY6C3LBo1Ov2yoLK0:O1DYrVkf3L3NY56/j
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2060 Win7BootUpdaterCmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2328 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Skin Pack\Lion\Win7BootUpdaterCmd.exe 7boot.exe File opened for modification C:\Program Files (x86)\Skin Pack\Lion\unistall.cmd 7boot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7boot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Win7BootUpdaterCmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeRestorePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeBackupPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeDebugPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeIncreaseQuotaPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSecurityPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeTakeOwnershipPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeLoadDriverPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemProfilePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemtimePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeProfSingleProcessPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeIncBasePriorityPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeCreatePagefilePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeBackupPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeRestorePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeShutdownPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeDebugPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemEnvironmentPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeRemoteShutdownPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeUndockPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeManageVolumePrivilege 2060 Win7BootUpdaterCmd.exe Token: 33 2060 Win7BootUpdaterCmd.exe Token: 34 2060 Win7BootUpdaterCmd.exe Token: 35 2060 Win7BootUpdaterCmd.exe Token: SeIncreaseQuotaPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSecurityPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeTakeOwnershipPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeLoadDriverPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemProfilePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemtimePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeProfSingleProcessPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeIncBasePriorityPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeCreatePagefilePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeBackupPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeRestorePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeShutdownPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeDebugPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemEnvironmentPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeRemoteShutdownPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeUndockPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeManageVolumePrivilege 2060 Win7BootUpdaterCmd.exe Token: 33 2060 Win7BootUpdaterCmd.exe Token: 34 2060 Win7BootUpdaterCmd.exe Token: 35 2060 Win7BootUpdaterCmd.exe Token: SeIncreaseQuotaPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSecurityPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeTakeOwnershipPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeLoadDriverPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemProfilePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemtimePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeProfSingleProcessPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeIncBasePriorityPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeCreatePagefilePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeBackupPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeRestorePrivilege 2060 Win7BootUpdaterCmd.exe Token: SeShutdownPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeDebugPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeSystemEnvironmentPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeRemoteShutdownPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeUndockPrivilege 2060 Win7BootUpdaterCmd.exe Token: SeManageVolumePrivilege 2060 Win7BootUpdaterCmd.exe Token: 33 2060 Win7BootUpdaterCmd.exe Token: 34 2060 Win7BootUpdaterCmd.exe Token: 35 2060 Win7BootUpdaterCmd.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2328 2356 7boot.exe 30 PID 2356 wrote to memory of 2328 2356 7boot.exe 30 PID 2356 wrote to memory of 2328 2356 7boot.exe 30 PID 2356 wrote to memory of 2328 2356 7boot.exe 30 PID 2328 wrote to memory of 2060 2328 cmd.exe 32 PID 2328 wrote to memory of 2060 2328 cmd.exe 32 PID 2328 wrote to memory of 2060 2328 cmd.exe 32 PID 2328 wrote to memory of 2060 2328 cmd.exe 32 PID 2328 wrote to memory of 2060 2328 cmd.exe 32 PID 2328 wrote to memory of 2060 2328 cmd.exe 32 PID 2328 wrote to memory of 2060 2328 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7boot.exe"C:\Users\Admin\AppData\Local\Temp\7boot.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\Skin Pack\Lion\unistall.cmd" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files (x86)\Skin Pack\Lion\Win7BootUpdaterCmd.exeWin7BootUpdaterCmd /restore3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27B
MD5b1ce10f72a52820540050951c6154f53
SHA1f7230ff1efc5591b3fbb6ea121f9121a4b467db3
SHA2566231cd409972524bb08297919786447d56ca6c26fcd34b82d9bc6c5018887d4f
SHA512270d0d9fd15a7e6d8809c10bceefc5b0e117bf579a1944bd9a98289c480067c606c353eb17001899eb956d4dd3af175dc7bd4603c35e438fb07f96c5e4526169
-
Filesize
272KB
MD54c26092f628205e2a8302c190d5f12bc
SHA1c7474941ed2a3dbb02e12040595ea9cd56145e01
SHA256b3674e5f0693201bc7d55005220fe26753baf833d86e75f2363a5dbdb2480ed1
SHA512e4bcf831261253140a33265c8ae51b77f9f5f6ecfa914f313824bf199e8f2131b9df7e4adf3430c0850e234d731f4774ace7b7e6c82176ce1a6e4f8fab3cb49e