e2f655057b70e5e388804476017398a74cdd934413f32a182adcf797e71909b2

Analysis

max time kernel
58s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe
Size

183KB
MD5

177e97a080aad715c500464d94f32f7c
SHA1

49350bea2328c25c6222362ca931f047b0b0a22b
SHA256

e2f655057b70e5e388804476017398a74cdd934413f32a182adcf797e71909b2
SHA512

36af098aec220215f33483c324f64a6be4043ed12abe710969bde758a67c1dbc84f4dbc8a30fa54d4232f6ada359097a1655046a406a34691d2fd505177e724f
SSDEEP

3072:i0KyNDEMiyPmcNOApUSifEtkewtUNZzCvEEzF1PFXKnumDBKjc4/:VKkEMV+4OkgebNZz9yTPsuxj

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\654d3600\imagepath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Gcb986Z.tmp"	177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	93.188.160.171
Destination IP	93.188.165.200
Destination IP	93.188.160.171
Destination IP	93.188.165.200

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2644	177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\177e97a080aad715c500464d94f32f7c_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-4-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/2644-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2644-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2644-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads