Overview

overview

8

Static

static

3

2e391c25a1...18.exe

windows7-x64

8

2e391c25a1...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 08:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe

  • Size

    391KB

  • MD5

    2e391c25a113b890b3f4dd5dc81230e5

  • SHA1

    61537ea107c566eeae6d1a476e0feac67c2c21d8

  • SHA256

    bdbac2f17795626b5f2c7174327e118b212eee9ea7f291113661cf91dd5fb59c

  • SHA512

    708a29e55e0e7962b9e039a7e5205210ea689d3dabf36bd43405d96265cfd4a750975ef7a19f4bfe25df9de2da53be9e150f03d84a8433c1f625cd6380825e5a

  • SSDEEP

    6144:OY9GYX5o45hdzgdfmgFL1yISqsZXj3vjw7a144ghCgOVXlfYfpdhZacivDgr+C:OhmjvdzJgFkdj3rGro1mWcirgb

Score
8/10
adwarebootkitdiscoverypersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 54 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2792
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2808
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2880
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2092
    • C:\Windows\SysWOW64\36bd.exe
      C:\Windows\system32/36bd.exe -i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2992
    • C:\Windows\SysWOW64\36bd.exe
      C:\Windows\system32/36bd.exe -s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2612
    • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
      C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:584
  • C:\Windows\SysWOW64\36bd.exe
    C:\Windows\SysWOW64\36bd.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:536

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
          Filesize

          115KB

          MD5

          f4e4aa7a94e1411c7cb0e1e5d52eb1b7

          SHA1

          94cb110206ffcc54c830fc77c99ba5acf412b325

          SHA256

          a7ba7ca8ff82a848139674d88d2ca142bf76d9632abfc984478e0c831305f3a7

          SHA512

          1fd76c71869d5870e9fef0a4a8f7580c01ab2f061dba38cc02f58e58d54ec19b7aadf1ab8c393034e5c82abd0adf754cceb9dc594113c1db1d18f86687d1b0c8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
          Filesize

          425KB

          MD5

          337c5831d26704628074da5d71550ac6

          SHA1

          fa60ef4505986ef0abce78b7a5553e8b37e8eb2b

          SHA256

          91d1072d527434771213336a48948cdef264e1fabb7d1af987a14842cb8c9621

          SHA512

          01bd751c3d436da3746a1ff6739d5a01446a501da583ff5fc095a5da82d858524f98de00417584c2f81589b152919568ea2300881e45ef5f31bc8e0ed9bb5dbf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
          Filesize

          144KB

          MD5

          3ba03faeee768eec0fb7ebab8c3ede84

          SHA1

          9098cc99395c766487b736b52ca0114ea2d67e82

          SHA256

          59a1f5456aeb7954c13ffcfb096e9aaa61afcabdea4904b4c9e1025fce2e4e3d

          SHA512

          1bcb3a86fcb2388098f4e19083c82d12ed7cabf8a779551c5fc9355881f6bbf4b3d34385d88e5024e7b71aea9a82d169fcce9eebc89b77d0db1c75acd7aeec1f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ksa4\tmp.exe
          Filesize

          136KB

          MD5

          86dc6028dd39c64b1681892865b33888

          SHA1

          5b11fc34b36e131f31a5fef3c8e320b49963ca98

          SHA256

          fd3eb7acf6bd5eba77d90ea4329aebf6ef5c51a148f167900a251d843fa73d93

          SHA512

          a9205faa705f4667e038c9b0b22321f202bcb10f1264edb3853718c8904c6dc4c21f093cb315f75999374da82f193d3110f9364c8e0ed86d99b41f1a1f4b3263

          Download Submit

        • \Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
          Filesize

          104KB

          MD5

          d81cf0de59a7e8e31f69184902622cc4

          SHA1

          badcdb2b96c0145dba5c3207e2d78e9a292863fa

          SHA256

          901c7c8da35c896b70afcca251536fd6ff50f3915c3dfc5e028c2e43e6577c2a

          SHA512

          5570172ebebcc55c29593a828894b153ba16cf787d5b592a1f20636dcb826922674b824b8c46c4f597f2ccc84f68d25135f87ee7a3af5d8dfe039ab48ae4c4c4

          Download Submit

        • memory/1792-3-0x0000000000260000-0x0000000000262000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1792-2-0x0000000000300000-0x000000000037F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1792-1-0x0000000000300000-0x000000000037F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1792-0-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1792-134-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/2020-155-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-165-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-138-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-140-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-143-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-148-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-150-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-152-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-189-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-157-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-160-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-161-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-163-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-88-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-167-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-169-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-171-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-174-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-173-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-176-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-179-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-178-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-181-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-182-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2020-185-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2092-62-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download