8180f0a40144a4c23243f2a093d090e9373971888d049862dd95010e4ce37a59

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
Size

693KB
MD5

06fdf7771b15ca403cd2f553dbe2f1fd
SHA1

119fca5ec960bfca2720d0ab459b4cf1ba8a5bfd
SHA256

8180f0a40144a4c23243f2a093d090e9373971888d049862dd95010e4ce37a59
SHA512

8718ca6b55dbb6d364f21c35da0a1f36fc5ede1b26cd823ab10929354b7cfa66eefdc6384821010dd140f21856d9784eacac35078edc447032467687986c98c9
SSDEEP

12288:KDMZ2UOv2HCCVIiGUbmp6wT/BUJqOn726zA/ELlJ5eGSSJ6y:zZm+LGUbmp68/BUJq6i8JkGoy

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2100	SeMiniSetup_3170_1202.exe
1764	drInstall.exe
2784	TTSetup.exe
744	gins.exe

Loads dropped DLL 11 IoCs

pid	Process
2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SeMiniSetup_3170_1202.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HookPool.sys	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drInstall.exe	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gins.exe	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f000000018662-16.dat	upx
behavioral1/memory/1764-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1764-25-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2784-34-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/files/0x000700000001867d-32.dat	upx
behavioral1/memory/2784-31-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/744-43-0x0000000010000000-0x000000001003A000-memory.dmp	upx
behavioral1/memory/744-46-0x0000000010000000-0x000000001003A000-memory.dmp	upx
behavioral1/memory/744-45-0x0000000010000000-0x000000001003A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	744	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SeMiniSetup_3170_1202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gins.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2100	SeMiniSetup_3170_1202.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2100	SeMiniSetup_3170_1202.exe
2100	SeMiniSetup_3170_1202.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2100	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	31
PID 2228 wrote to memory of 1764	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	32
PID 2228 wrote to memory of 1764	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	32
PID 2228 wrote to memory of 1764	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	32
PID 2228 wrote to memory of 1764	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	32
PID 2228 wrote to memory of 1764	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	32
PID 2228 wrote to memory of 1764	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	32
PID 2228 wrote to memory of 1764	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	32
PID 2228 wrote to memory of 2784	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	34
PID 2228 wrote to memory of 2784	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	34
PID 2228 wrote to memory of 2784	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	34
PID 2228 wrote to memory of 2784	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	34
PID 2228 wrote to memory of 2784	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	34
PID 2228 wrote to memory of 2784	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	34
PID 2228 wrote to memory of 2784	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	34
PID 2228 wrote to memory of 744	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	35
PID 2228 wrote to memory of 744	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	35
PID 2228 wrote to memory of 744	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	35
PID 2228 wrote to memory of 744	2228	06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe	35
PID 744 wrote to memory of 2928	744	gins.exe	36
PID 744 wrote to memory of 2928	744	gins.exe	36
PID 744 wrote to memory of 2928	744	gins.exe	36
PID 744 wrote to memory of 2928	744	gins.exe	36

C:\Users\Admin\AppData\Local\Temp\06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06fdf7771b15ca403cd2f553dbe2f1fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe
  "C:\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2100
- C:\Windows\SysWOW64\drInstall.exe
  "C:\Windows\system32\drInstall.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\TTSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\TTSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\SysWOW64\gins.exe
  "C:\Windows\system32\gins.exe" /p-10411/-s4792
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 152
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TTSetup.exe

Filesize
54KB

MD5
4890e7e7c6d86bc377dd52c276f3f6f5

SHA1
0a1ec3c867bca798aac2013a26f8efbb9a857962

SHA256
068838b5e4d8b6db08efe1a1550500c93b92d67c7a70e29db1356032f3096ee0

SHA512
35adc6fa1bc5301d16413d02d36cb3394dfe56ab75bfe3bca097ea567427025c74bc12fc3c4a218c5b5d877f2a6ef27dad9e7209f13eaae7991fa55eb46aa774

Download Submit
\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe

Filesize
173KB

MD5
f7c61469c6f620345969e1654f3d8ce5

SHA1
25ef4a62e384bf53505b04b77078a7348e8849eb

SHA256
9f2aad3392eba89353494d3136e65435a37740a8143503b23e6fe55c27a3c84e

SHA512
5a0e127e78a29fb3f0d0c8935b590c0c702c5e4e1907e0dac969f79ff6a242deb1b2ef66144371a37bce8a99f611d8a3a88978f47e8f097feb3303434bc1c889

Download Submit
\Users\Admin\AppData\Local\Temp\pyd.dll

Filesize
82KB

MD5
2a23408ebe5285f0a76850366ecf25f5

SHA1
d38ca629f27f150869d725663842c1af680a1ea5

SHA256
ccbc1ede8afc097b0ddc0b9fcd2d160856c35de77102c1cf5b5f37635d1ba9dd

SHA512
54a946897300ffa3588abd30bb3d850f5ec55283a2dbae4ad8f19e1269361bac23228a1a0d881c4ff9c3df02ebe0b4048730b155a7e2d60c53ed6f66ef953991

Download Submit
\Windows\SysWOW64\drInstall.exe

Filesize
25KB

MD5
635d1f8c9c39a393840df7f352c10c9d

SHA1
8514f914961d04b8429c36182e8dc28e2909e135

SHA256
d1a204e0aa9dd4feb37ae32eac96dc89cd03be642c1b4a14fd5c95da463e4f32

SHA512
1acb5f84d0ba5f459963f2582acfffbb8335b83fc4bc7cb288412dbf3deb969990b733b71996908247713c3f10ad0e18906f3a7818c292d1eb37fb449c528576

Download Submit
\Windows\SysWOW64\gins.exe

Filesize
191KB

MD5
33f8e78919fa534018599e5b3b6fe467

SHA1
87d1d69ee5888fcf6d96acd82f0df1c590964e8e

SHA256
6951b8892d2dc0f151c72573a2699a1ca6b163e1f71aff25255e09b8deda7fa4

SHA512
9105cdaa83ee834fc5e26101684dec2415b8b8383eb0e3211d2415fa425cc4df120c167aaa400d0331ab05e5e7a0ae17b9433cd4c3f05b7eda74996c3b37d285

Download Submit
memory/744-45-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/744-46-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/744-43-0x0000000010000000-0x000000001003A000-memory.dmp

Filesize
232KB

Download
memory/1764-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1764-25-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2228-29-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/2228-18-0x00000000002B0000-0x00000000002C3000-memory.dmp

Filesize
76KB

Download
memory/2784-31-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2784-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads