Overview

overview

6

Static

static

3

da6f2a9f95...18.exe

windows7-x64

6

da6f2a9f95...18.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da6f2a9f953173794446b843129f0d38_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    da6f2a9f953173794446b843129f0d38

  • SHA1

    6f9077ad5c2515cddb41a92c2bf3d249e7105c51

  • SHA256

    e9b79a60f3a5d277e034227648baa8a0e7211919f0563c4b6f5951dbb3d1c0f3

  • SHA512

    d3c6edd5ad1bc718926c1fd79951cf9bc3410292f17cc9430d4135b84a256549ede87947735a7abbe54cf6f86c71b58cfed61c74b8eda49c08ebd139c2fa730f

  • SSDEEP

    6144:VlzknoBcRzrWsJywvP6bQ7yMP+DE827OaFSEpAC:nAnZRzJT6b7MP+Dd2iafpAC

Score
6/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da6f2a9f953173794446b843129f0d38_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da6f2a9f953173794446b843129f0d38_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe "c:\FINAL_TBF2.pdf"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2196
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\FINAL_TBF2.pdf"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    e41db61a4bef850aa533c11f4899fda6

    SHA1

    df55da819f00e62a2cad3ac858b5ab6ec6d78890

    SHA256

    73ed4ade7792295d48e995312032f388fe486cacdf9d116fac6a56ccda4fa29d

    SHA512

    0a88cbfe995ff045aaf5a91beb851ee1f0d4ce3022a2c2214f30aa0de7c6f7cce03f0e5ceca683f4b61ff42279181f45731fd846fc2179145cca071c2b072af4

    Download Submit

  • memory/1732-0-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1732-3-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1732-2-0x0000000000459000-0x000000000045A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-1-0x0000000000370000-0x00000000003EA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1732-4-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1732-6-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download