Analysis

  • max time kernel
    18s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 18:41

General

  • Target

    148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    148327a59b3f1020a2f2cccc47d19dfb

  • SHA1

    4bf8542cf745ab80bb8e08ad7c9effd8a918b59f

  • SHA256

    9c2c0be7f6fc2a252852d108251c01f65ccc53ad81e75235608a33db5d44a677

  • SHA512

    b6a097a5b5971cc7fedac0d9104e3a359652766bdf8df9d7d772c480cb9a595d78e0003bcca357696cf97e714056c36782e4319d859b3628ce22982aca320af0

  • SSDEEP

    49152:Y8ev4j/fTa2Nj0YRJ+tqb+U/f6pN4yhW8Chlsu4I:Bev4jX7IYRJ+C+UfShWdh/j

Malware Config

Signatures

  • UAC bypass 3 TTPs 6 IoCs
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Drops file in Drivers directory 4 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"
      2⤵
      • UAC bypass
      • Enumerates VirtualBox registry keys
      • Drops file in Drivers directory
      • Checks for any installed AV software in registry
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2480
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 896
        3⤵
        • Program crash
        PID:2504

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\PSRPKCZG\PSKCEHEIOOG.cfg

          Filesize

          185B

          MD5

          b8224e5293d4fad1927c751cc00c80e7

          SHA1

          270b8c752c7e93ec5485361fe6ef7b37f0b4513b

          SHA256

          c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

          SHA512

          8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

        • C:\Windows\System32\drivers\etc\host_new

          Filesize

          977B

          MD5

          53316bc0c42b9d65743709021f1d03c7

          SHA1

          44cfe377bf7fedee2ce8f888cfacefd283e924e6

          SHA256

          600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36

          SHA512

          9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

        • memory/2180-4-0x0000000000400000-0x0000000000657000-memory.dmp

          Filesize

          2.3MB

        • memory/2480-3-0x0000000013140000-0x000000001372D000-memory.dmp

          Filesize

          5.9MB

        • memory/2480-6-0x0000000013140000-0x000000001372D000-memory.dmp

          Filesize

          5.9MB

        • memory/2480-0-0x0000000013140000-0x000000001372D000-memory.dmp

          Filesize

          5.9MB

        • memory/2480-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2480-8-0x0000000013140000-0x000000001372D000-memory.dmp

          Filesize

          5.9MB

        • memory/2480-7-0x0000000013140000-0x000000001372D000-memory.dmp

          Filesize

          5.9MB

        • memory/2480-9-0x0000000000330000-0x0000000000331000-memory.dmp

          Filesize

          4KB

        • memory/2480-135-0x0000000013140000-0x000000001372D000-memory.dmp

          Filesize

          5.9MB

        • memory/2480-136-0x0000000013140000-0x000000001372D000-memory.dmp

          Filesize

          5.9MB