Overview

overview

7

Static

static

7

de860b30fb...18.exe

windows7-x64

7

de860b30fb...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de860b30fb2dd71481e4594a37e38403_JaffaCakes118.exe

  • Size

    781KB

  • MD5

    de860b30fb2dd71481e4594a37e38403

  • SHA1

    c2456f2fea8fd3d200b4e5fd4092cebea30affcb

  • SHA256

    4aaf4e5e9d4c78d313cf68417cda304d6f867fb3e4b9ffe179c10297396a390e

  • SHA512

    620ad6ced4eed58d94f0f75290671b60e5219a8a73408381ee8604cc56d3a0052bc347f267a150c71a79f3387358fa67328751557c2c4d92ee4f7bc6346f474c

  • SSDEEP

    12288:I/R4VorX+Y2UHsKmxcqFQh7dfWcShVfyh9cTxPboloZnbKr07/jWdAe8P6:ICVJYZMFcHhsHfyh9cTxzoKEk+Ae8P6

Score
7/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de860b30fb2dd71481e4594a37e38403_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de860b30fb2dd71481e4594a37e38403_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PtdWin.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PtdWin.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HdCtrl.dll
    Filesize

    72KB

    MD5

    cfec846f9de0275f653741954502451b

    SHA1

    2ec3b6b083ead60babd3436a1467a681cda64da5

    SHA256

    820e9671026ec5321acd238688b371c9a9223b030332756166ae443386071dab

    SHA512

    d7488f973afedf4d0704c73d9de4d65b9b12c26b1fe025fd32f3a23080df2af4ef1469fa8d440ed61789ee8dd85920f1d30dcc42812b30dde061ba1eaaf64068

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PartRecRs.dll
    Filesize

    816KB

    MD5

    b5611026d5f99d10ff2b7b668cea9a70

    SHA1

    13d9750ca1c16b3575bd1981432c17893b25eb3b

    SHA256

    801250f7a46c337c87859ff6f25540c4c8f802a6d247ca3e5f8a1262759a5740

    SHA512

    7c7a0bb41cb3f090b3c48ac2a471aeccd384c365a32038ed4f79f378cb49f7fe368b800e1f74ca3f517d87fac5e45cec96a1df1cab96376bf1339871ef707def

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PtdSet.ini
    Filesize

    36B

    MD5

    630d0e98d2753fcc55068fc1381217a4

    SHA1

    c05fabfbd8af9d9d696419df90c2a47e08de67a3

    SHA256

    60cb150c3419cf809e2d2602cb9213432f8b922d2b1e2903ca3b9a24394fe547

    SHA512

    d8363a6ea25c17d99af9324820baecfbd29f15cfec1fe6ee6d3d50c8197a8f17d3ba7ce3065ef311cb42224e0ad4ae6c42f94c7e951e97b500f440003b2e817d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PtdWin.exe
    Filesize

    353KB

    MD5

    0c882f17c1ad1136812deee4ce4b5103

    SHA1

    a1ab83be9f2e1c2379233c099d8a7bce16375fa0

    SHA256

    3f9f011d31cc700eff85e24a4e752e2a695b8728f6e9713d61c71097f036d53c

    SHA512

    df24b744ecfdbe56f23824532413ae7ebc713c2adbbb5342bdf1d98e9b9d8764b366f86da6ee2c35dd270b1e1c821e7674a0a26f5339b66ac157f900553159d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Worker.dll
    Filesize

    236KB

    MD5

    3f0a3ff60c065858fb3740b0a36f15b6

    SHA1

    eec838a3198478bbc4f02323b579df939cb03657

    SHA256

    0b6701fc02d7a260c4f57b59728614edfab78ead3c2e834022ca049796eceb76

    SHA512

    00fdb29c09b5aa9430b879e280618a764ca16aebaa0f1264e4f684574501f7c76348d69339bad73d1a63bfce4a291fcd59342a6abd0a9c391ceb3fa6182fecdd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hd03.dll
    Filesize

    248KB

    MD5

    54f86c6492113a80b5240c4dfebae487

    SHA1

    e0ab6777e84168e279701b6d6f7a7e72bd889683

    SHA256

    03b8deb7d66470f94dc49ee7355b23276a88e34c5d0ea2a16057e9ffbeb8b160

    SHA512

    f400bc10ec3c8c491dbdee3827d9aa404812ff0b9457054505c4f8a9747600e638b422a6e3f06e31a4c1f4abf15c14647084d78fe1e10d33da89cd3ae8080af0

    Download Submit

  • memory/3616-40-0x0000000000A60000-0x0000000000A9F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3616-37-0x0000000000A20000-0x0000000000A5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3616-28-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/3616-48-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4596-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4596-46-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download