4517bb5a59310e5412ab90e4e741bec4124990f61897672b75c7e1afe0e959e9 | Triage

Submit
Reports

Overview

overview

Static

static

7

ee853c3a35...18.exe

windows7-x64

ee853c3a35...18.exe

windows10-2004-x64

Sharing

General

Target

ee853c3a359058ae44734912d6cf6cbe_JaffaCakes118
Size

2.3MB
Sample

240920-125hls1dmk
MD5

ee853c3a359058ae44734912d6cf6cbe
SHA1

1fa3b14ce55ef939a9bbb466e628ee11b33dba7e
SHA256

4517bb5a59310e5412ab90e4e741bec4124990f61897672b75c7e1afe0e959e9
SHA512

1cb670e54674e85f1cde5fd59aa5f4feea5cef2074e88604fa09012c277bc8e16b38209e28d53f2a7e4567f0ccded5ac056f5373d7945857881376b9e17a9ff5
SSDEEP

49152:HIiEK54KS/mF2mEEjlavGhS5KDoy/8yCRgTpQGIdMp3dHJZ1gSRQFl0n:HIiEKT2GphSsDmiOrM1tJngoQbC

Score

10^/10

bootkit defense_evasion discovery persistence upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

ee853c3a359058ae44734912d6cf6cbe_JaffaCakes118.exe

Resource

win7-20240903-en

bootkit defense_evasion discovery persistence upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

ee853c3a359058ae44734912d6cf6cbe_JaffaCakes118.exe

Resource

win10v2004-20240802-en

bootkit defense_evasion discovery persistence upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=KHBTHJFA&2=i-s&3=18&4=7601&5=6&6=1&7=99600&8=1033

Extracted

Language

hta

Source

URLs

hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=HVDPCYGS&2=i-s&3=18&4=9200&5=6&6=2&7=919041&8=1033

Targets

- Target
  
  ee853c3a359058ae44734912d6cf6cbe_JaffaCakes118
- Size
  
  2.3MB
- MD5
  
  ee853c3a359058ae44734912d6cf6cbe
- SHA1
  
  1fa3b14ce55ef939a9bbb466e628ee11b33dba7e
- SHA256
  
  4517bb5a59310e5412ab90e4e741bec4124990f61897672b75c7e1afe0e959e9
- SHA512
  
  1cb670e54674e85f1cde5fd59aa5f4feea5cef2074e88604fa09012c277bc8e16b38209e28d53f2a7e4567f0ccded5ac056f5373d7945857881376b9e17a9ff5
- SSDEEP
  
  49152:HIiEK54KS/mF2mEEjlavGhS5KDoy/8yCRgTpQGIdMp3dHJZ1gSRQFl0n:HIiEKT2GphSsDmiOrM1tJngoQbC
Score

10^/10

bootkit defense_evasion discovery persistence upx
- Modifies WinLogon for persistence
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitdefense_evasiondiscoverypersistenceupx

behavioral2

bootkitdefense_evasiondiscoverypersistenceupx

© 2018-2025

Terms | Privacy