141bf6765346d7566a42ec073b8f533ae1e0f50c7fac559afaf3e7d0f1f8a463

Analysis

max time kernel
1s
max time network
3s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

eabcb7e213634ea04e0df07f370f9e9c_JaffaCakes118.exe
Size

143KB
MD5

eabcb7e213634ea04e0df07f370f9e9c
SHA1

9698f9e217ae292d1ce2a0379d67fd05799c1dbc
SHA256

141bf6765346d7566a42ec073b8f533ae1e0f50c7fac559afaf3e7d0f1f8a463
SHA512

f4754dade234117017a4e58992dd5cf2b21f5e25ec6d7ee1a060549c2e907f72cfc0f52087c0f0cb934c800d3034987890fe01ec769fbb002df2b6549ad6f0bb
SSDEEP

3072:NDcFpwqfOnGCawWKPKsUs+FyWNib4n9rumQUEULXlSzA:NDcHUGCawWKJUs+oWNqIEmCRA

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	eabcb7e213634ea04e0df07f370f9e9c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabcb7e213634ea04e0df07f370f9e9c_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1616	eabcb7e213634ea04e0df07f370f9e9c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1616	eabcb7e213634ea04e0df07f370f9e9c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eabcb7e213634ea04e0df07f370f9e9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabcb7e213634ea04e0df07f370f9e9c_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1616-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads