Overview

overview

8

Static

static

3

12d67916f3...18.exe

windows7-x64

7

12d67916f3...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12d67916f32e43dcd384bed762f1c8c2_JaffaCakes118.exe

  • Size

    821KB

  • MD5

    12d67916f32e43dcd384bed762f1c8c2

  • SHA1

    2791db72fd570f9e9fec126994ab384b24470367

  • SHA256

    bafa5efb1d1b8b426d115bd6c60404520a52ebad0423747b02f9c7eceb2e7c2d

  • SHA512

    b7b6bd17c96e7b817306475938e558d494e226f050de0087dfd7834c12e69ca427e428742c2c548c102909573da452a47921ccaf5e7595c3cf5f1474e11d88fa

  • SSDEEP

    24576:vvYRYGIkhf56u7Sx+mouKs2Xr0znAn4BL:vcYGI0faxhqGnAY

Score
8/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\12d67916f32e43dcd384bed762f1c8c2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\12d67916f32e43dcd384bed762f1c8c2_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\ProgramData\privacy.exe
      C:\ProgramData\privacy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2188
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:988
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2620
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4020
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1448
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2220
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3952
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:644
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:216
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3856
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2312
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
    1⤵
      PID:3688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\privacy.exe
      Filesize

      807KB

      MD5

      b203fbbf832393290b1d0e16a888c07f

      SHA1

      ca5621af80ea3a8bd9662f0b38e9ccf4df1c30c7

      SHA256

      077cde9443fe4f52f6b940569b7b980d00137e4265a51012797cb506f11d3c79

      SHA512

      2c7945437b73106d72adc7807f55a66024216cc0d08ffd03d61efee11ebe65bbf0af17cac789f678bc84ffbdbb72cf15a9c6d6d5f18802b35bce91699cdf09ec

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
      Filesize

      471B

      MD5

      6414d215581638d14c738529b24976a4

      SHA1

      80b67d5ae79a7aeb03b0308af8094d550c571cdc

      SHA256

      6d66a44486442fa1f34befd675c1a0010f7dabc5698e790dc204db34daf3c504

      SHA512

      ec0d73e23e006913f67b433d8c92f86e141666e0422801231bf34195517752a0db976c0ea74253b56381f3260354053ca64b63ed45dd1bdfdd3478aa76952733

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
      Filesize

      420B

      MD5

      b313c2ca998a0b21291d8f676600f8b0

      SHA1

      857329e2e357558fd06af23c7185a3c05639c28b

      SHA256

      ca65297bc9d87e3d97756881d3b686bc5c8ffa210acbf480ffdef0981c5b9af4

      SHA512

      c4a1af172e97594ec04c658cbd443bc06c1aba3ec2a7c87846cf70c578d70c49fe1e64477fe1a0250c83fbc15e7490a19a92a2546025c02c814e944d9f15a3b4

      Download Submit

    • C:\Users\Admin\AppData\Local\IconCache.db
      Filesize

      16KB

      MD5

      732daf3d7b9784a750744828f601de00

      SHA1

      81b40c79d7f11ad8864b62fa1e877add505c848f

      SHA256

      fe9d4367774bd4f5f86252df27c98fcdb591fd181ac0e4a53a87305c3485b97a

      SHA512

      0432184330e09f6f371a5e389942c24571c3ba2388da26a7de09fd719b35108b2edc90842094cc988ec0cc51ef2e8ee11754635a619960e5084c4ffddc107d99

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
      Filesize

      1022B

      MD5

      61ec92e853fb9cea2604dfab51a573c7

      SHA1

      30c9f6f1d0cf9d04bb31e4cbab9935b87c108063

      SHA256

      af5945e5484c4e6300df632bc2877f3fd972ff69203b9fe0389e04029e7bd2f8

      SHA512

      f1e85a115d72d89346cb6232a384b1f2dc90ea8e092e7a2ad5f04c14b5e98d8fe8d013a67c226a05421f0c65186e74ffb2c4bbf037cb3242f516fe8201d63fe7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{6AD02C12-E135-43E3-94D3-93445647F57A}.png
      Filesize

      6KB

      MD5

      099ba37f81c044f6b2609537fdb7d872

      SHA1

      470ef859afbce52c017874d77c1695b7b0f9cb87

      SHA256

      8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

      SHA512

      837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

      Download Submit

    • C:\Users\Public\Desktop\Privacy Protection.lnk
      Filesize

      672B

      MD5

      b61663bed5c9434b4689b92043400406

      SHA1

      3b4a2524b2d55479335cef1acf6d07be6cd083d7

      SHA256

      65b918d9f0449700bee664e34ec084847b7415468f90575df6c120c9fb089d02

      SHA512

      a601b07c8c95844db0f4f5e9d89111cf6b82056f6141f7f2814992aa82b4913130f51eb5efa2c6ef286f795acc046597862940af8dc9bc74e964026192065c15

      Download Submit

    • memory/2188-73-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-85-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-19-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-20-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-88-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-29-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-16-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-35-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-87-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-14-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-86-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-74-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-44-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-47-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-18-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-46-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-82-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-81-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-63-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-64-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-80-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-71-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-72-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2188-15-0x0000000000400000-0x0000000000A0F000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3856-55-0x0000000004C40000-0x0000000004C41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3952-49-0x0000000004480000-0x0000000004481000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4020-37-0x0000000004520000-0x0000000004521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4792-0-0x0000000000400000-0x00000000004DD000-memory.dmp

      Filesize

      884KB

      Download

    • memory/4792-2-0x0000000000400000-0x00000000004DD000-memory.dmp

      Filesize

      884KB

      Download

    • memory/4792-7-0x0000000000404000-0x0000000000405000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4792-1-0x0000000000680000-0x0000000000681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4792-27-0x0000000000400000-0x00000000004DD000-memory.dmp

      Filesize

      884KB

      Download