57adf57219631876c6264c2f2dcd18f83537b80525bed3217db28c9e56613acf

Analysis

max time kernel
141s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe
Size

497KB
MD5

e1f0394e7a92e7a6882874c87fa10821
SHA1

e14df8aa6899ada28756d88976fb1e485fbfaad6
SHA256

57adf57219631876c6264c2f2dcd18f83537b80525bed3217db28c9e56613acf
SHA512

af5d3a4c7117f74c541493e03c2f10a81ab13606e91df8bab8b2a0f8a30b2fb99680d6a0592d0bc551ab0c7c62544240875126258276f179a6870ec7838ba156
SSDEEP

12288:31Ra1rN4wopVauKAxZkhwryPNtTirdorX:3Drp4XAx+hwrynTEdo

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	EntSver.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	EntSver.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	EntSver.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\EntSver.exe	e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe
File opened for modification	C:\Windows\EntSver.exe	e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EntSver.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	EntSver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadDecisionReason = "1"	EntSver.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	EntSver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	EntSver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	EntSver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadDecision = "0"	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDecisionTime = a09315043d07db01	EntSver.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\6e-ce-24-8a-49-7e	EntSver.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	EntSver.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EntSver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	EntSver.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadNetworkName = "Network 3"	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EntSver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadDecisionTime = a09315043d07db01	EntSver.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDetectedUrl	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	EntSver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDecisionReason = "1"	EntSver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDecision = "0"	EntSver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	EntSver.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e\WpadDecisionTime = 201e7dce3c07db01	EntSver.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	EntSver.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}	EntSver.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{924193F2-E9D8-41B8-A8B8-95BD0A990CE1}\WpadDecisionTime = 201e7dce3c07db01	EntSver.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-24-8a-49-7e	EntSver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe
Token: SeDebugPrivilege	2832	EntSver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	EntSver.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2184	2832	EntSver.exe	31
PID 2832 wrote to memory of 2184	2832	EntSver.exe	31
PID 2832 wrote to memory of 2184	2832	EntSver.exe	31
PID 2832 wrote to memory of 2184	2832	EntSver.exe	31

C:\Users\Admin\AppData\Local\Temp\e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1f0394e7a92e7a6882874c87fa10821_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\EntSver.exe
C:\Windows\EntSver.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\EntSver.exe

Filesize
497KB

MD5
e1f0394e7a92e7a6882874c87fa10821

SHA1
e14df8aa6899ada28756d88976fb1e485fbfaad6

SHA256
57adf57219631876c6264c2f2dcd18f83537b80525bed3217db28c9e56613acf

SHA512
af5d3a4c7117f74c541493e03c2f10a81ab13606e91df8bab8b2a0f8a30b2fb99680d6a0592d0bc551ab0c7c62544240875126258276f179a6870ec7838ba156

Download Submit
memory/2644-0-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2644-7-0x00000000022B0000-0x00000000022B3000-memory.dmp

Filesize
12KB

Download
memory/2644-6-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2644-29-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2644-28-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2644-65-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2644-85-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2644-84-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/2644-83-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/2644-82-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2644-81-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/2644-80-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2644-79-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2644-78-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2644-77-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2644-76-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/2644-75-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2644-74-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/2644-73-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2644-72-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2644-71-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2644-70-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2644-69-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2644-68-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2644-67-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2644-66-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/2644-64-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/2644-63-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/2644-62-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2644-61-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/2644-60-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/2644-59-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2644-58-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/2644-57-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2644-56-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2644-55-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2644-54-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2644-53-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2644-52-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2644-51-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2644-50-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2644-49-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2644-48-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2644-47-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2644-46-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2644-45-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2644-44-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2644-43-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2644-42-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2644-41-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2644-39-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2644-38-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2644-40-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2644-37-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2644-36-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2644-35-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2644-34-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2644-33-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2644-32-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2644-27-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2644-26-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2644-25-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2644-24-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2644-23-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2644-22-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2644-21-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2644-20-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2644-19-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2644-18-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2644-17-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2644-16-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2644-15-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2644-14-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2644-13-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2644-12-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2644-11-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2644-10-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2644-9-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2644-8-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2644-5-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2644-4-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2644-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2644-2-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000500000-0x0000000000543000-memory.dmp

Filesize
268KB

Download
memory/2644-87-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/2644-86-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2644-91-0x0000000000500000-0x0000000000543000-memory.dmp

Filesize
268KB

Download
memory/2644-90-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2644-94-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2644-95-0x0000000000500000-0x0000000000543000-memory.dmp

Filesize
268KB

Download
memory/2832-89-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2832-92-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2832-96-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2832-97-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2832-98-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2832-102-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads