Overview

overview

8

Static

static

7

ea799cb79a...18.exe

windows7-x64

7

ea799cb79a...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea799cb79abc5e7a1cb09bb85e802928_JaffaCakes118.exe

  • Size

    852KB

  • MD5

    ea799cb79abc5e7a1cb09bb85e802928

  • SHA1

    ce43cbbe920560187e7885913281bfc81cd0ec30

  • SHA256

    d73c78294a2cd4dd4268821703dbf8a2ed88107896d8c6fbe082bd800d9e72dc

  • SHA512

    0ab8233f0b5766e9d741257bc4f406307f7e85cd44161c45947c33672564d26d547fa5b6aac875dd81a78477e3624f17ad533de64553e435ea268291c70f20d1

  • SSDEEP

    24576:tZIDHpeEz4SRk6QEjRgnM0rt8nqoScpkBZvo+VRpA08t:IHpPNLRMMCDoS2kBZwW20

Score
8/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea799cb79abc5e7a1cb09bb85e802928_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea799cb79abc5e7a1cb09bb85e802928_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2748
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3480
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2632
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3976
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4312
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:4888
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:392
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
          PID:1268
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3264
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
        1⤵
          PID:3992
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4540
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:1584
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
              PID:2348

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
              Filesize

              471B

              MD5

              ddc1e6368deba23c633d237f2564b717

              SHA1

              bda72f1eb659cb95e47875ef1e7792b6415a1258

              SHA256

              c9e8450dafe9a6f87dbae742658ddd8b7ec1b8dc591f23bdc3674422b2e04c47

              SHA512

              1c3413967ea3193bea0005931cb61da707a4a9e93e73c51ba8ce49c3fd2e0295be3cc53e9ffc37ec2bbc269536a79715d4da232079e55b70c474649ffa75f256

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
              Filesize

              420B

              MD5

              7226126b9ca71547e704b982a705799a

              SHA1

              0e8be27920c4bd98bb7180feb0e6002794a49a62

              SHA256

              028a9c4be64cb1c26d0d449ab12439b7445e885b2a9dcd7ae866e6d1f2b4611a

              SHA512

              95aa64c2e40ba5eb59ee25da757767b34e4c5cf87280daafc906ff9ec07fff4a5504a678f16a20c7ae0a4ccb626b786912c2941f03066d1f0e21fbd4fa08c8d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
              Filesize

              1022B

              MD5

              2258494459e5389220de4132e01a5051

              SHA1

              6c2e9c73f9ea4a8ec8d560dfa084abc7740105d7

              SHA256

              63945d6b361e330d96a1fc50cb1ab97b22e61f633b03a653497d1febafa8e420

              SHA512

              1f6cf6adddb88b36c5994d461d4c3e47f2a051bf02c6dc2c23f408b7e02e10d51b687271c29d54288a3abff38141bb0ac574b5a24913ae72dfe288115f8b61a2

              Download Submit

            • memory/2748-23-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-39-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-6-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-46-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-12-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-16-0x0000000000F40000-0x0000000000F50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2748-4-0x00000000009EB000-0x00000000009EC000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2748-18-0x00000000009EB000-0x00000000009EC000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2748-19-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-2-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-1-0x0000000000F40000-0x0000000000F50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2748-0-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-24-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-45-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-32-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-35-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-36-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-37-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-38-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-5-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-40-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-41-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-42-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-43-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2748-44-0x0000000000400000-0x0000000000A23000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/3264-25-0x00000000029C0000-0x00000000029C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3976-11-0x00000000045B0000-0x00000000045B1000-memory.dmp

              Filesize

              4KB

              Download