Analysis
-
max time kernel
147s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 22:50
Static task
static1
Behavioral task
behavioral1
Sample
4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe
-
Size
281KB
-
MD5
4490c02f7c00f0bd3b1651dc14ffe0c2
-
SHA1
a6821c3d1155b4cc03fdd951feb68be9245dbcf2
-
SHA256
e61c5d7070dc5d2eda2961f68f7681ff7ceedbff0ae791a3347d8c811731d864
-
SHA512
2a3655a22c2f8ac190b5aa636410c359f8f9df5779f8c6ac8782d5d109da8fc353c680faaaf6e30a12cb068c9c90c2f934b8f44a63ea07e041dd01427f14f9c6
-
SSDEEP
6144:gUyMHM8MX71fo8G0cZUyK98gWNlPTGQQm6agrdI9qMe:gl8ML1fo8GpNtTirdIwMe
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 2900 Blue.exe 2680 Blue.exe 2064 Blue.exe 3052 Blue.exe 3048 Blue.exe 680 Blue.exe 2116 Blue.exe 332 Blue.exe 1368 Blue.exe 2072 Blue.exe -
Loads dropped DLL 20 IoCs
pid Process 1080 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe 1080 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe 2900 Blue.exe 2900 Blue.exe 2680 Blue.exe 2680 Blue.exe 2064 Blue.exe 2064 Blue.exe 3052 Blue.exe 3052 Blue.exe 3048 Blue.exe 3048 Blue.exe 680 Blue.exe 680 Blue.exe 2116 Blue.exe 2116 Blue.exe 332 Blue.exe 332 Blue.exe 1368 Blue.exe 1368 Blue.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe File opened for modification \??\PhysicalDrive0 Blue.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\Blue.exe 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File created C:\Windows\SysWOW64\Blue.exe Blue.exe File opened for modification C:\Windows\SysWOW64\Blue.exe Blue.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blue.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1080 wrote to memory of 2900 1080 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe 30 PID 1080 wrote to memory of 2900 1080 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe 30 PID 1080 wrote to memory of 2900 1080 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe 30 PID 1080 wrote to memory of 2900 1080 4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe 30 PID 2900 wrote to memory of 2680 2900 Blue.exe 31 PID 2900 wrote to memory of 2680 2900 Blue.exe 31 PID 2900 wrote to memory of 2680 2900 Blue.exe 31 PID 2900 wrote to memory of 2680 2900 Blue.exe 31 PID 2680 wrote to memory of 2064 2680 Blue.exe 32 PID 2680 wrote to memory of 2064 2680 Blue.exe 32 PID 2680 wrote to memory of 2064 2680 Blue.exe 32 PID 2680 wrote to memory of 2064 2680 Blue.exe 32 PID 2064 wrote to memory of 3052 2064 Blue.exe 33 PID 2064 wrote to memory of 3052 2064 Blue.exe 33 PID 2064 wrote to memory of 3052 2064 Blue.exe 33 PID 2064 wrote to memory of 3052 2064 Blue.exe 33 PID 3052 wrote to memory of 3048 3052 Blue.exe 34 PID 3052 wrote to memory of 3048 3052 Blue.exe 34 PID 3052 wrote to memory of 3048 3052 Blue.exe 34 PID 3052 wrote to memory of 3048 3052 Blue.exe 34 PID 3048 wrote to memory of 680 3048 Blue.exe 35 PID 3048 wrote to memory of 680 3048 Blue.exe 35 PID 3048 wrote to memory of 680 3048 Blue.exe 35 PID 3048 wrote to memory of 680 3048 Blue.exe 35 PID 680 wrote to memory of 2116 680 Blue.exe 36 PID 680 wrote to memory of 2116 680 Blue.exe 36 PID 680 wrote to memory of 2116 680 Blue.exe 36 PID 680 wrote to memory of 2116 680 Blue.exe 36 PID 2116 wrote to memory of 332 2116 Blue.exe 37 PID 2116 wrote to memory of 332 2116 Blue.exe 37 PID 2116 wrote to memory of 332 2116 Blue.exe 37 PID 2116 wrote to memory of 332 2116 Blue.exe 37 PID 332 wrote to memory of 1368 332 Blue.exe 38 PID 332 wrote to memory of 1368 332 Blue.exe 38 PID 332 wrote to memory of 1368 332 Blue.exe 38 PID 332 wrote to memory of 1368 332 Blue.exe 38 PID 1368 wrote to memory of 2072 1368 Blue.exe 39 PID 1368 wrote to memory of 2072 1368 Blue.exe 39 PID 1368 wrote to memory of 2072 1368 Blue.exe 39 PID 1368 wrote to memory of 2072 1368 Blue.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 472 "C:\Users\Admin\AppData\Local\Temp\4490c02f7c00f0bd3b1651dc14ffe0c2_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 544 "C:\Windows\SysWOW64\Blue.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 552 "C:\Windows\SysWOW64\Blue.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 548 "C:\Windows\SysWOW64\Blue.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 564 "C:\Windows\SysWOW64\Blue.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 556 "C:\Windows\SysWOW64\Blue.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 540 "C:\Windows\SysWOW64\Blue.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 572 "C:\Windows\SysWOW64\Blue.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 588 "C:\Windows\SysWOW64\Blue.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Blue.exeC:\Windows\system32\Blue.exe 568 "C:\Windows\SysWOW64\Blue.exe"11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2072
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD54490c02f7c00f0bd3b1651dc14ffe0c2
SHA1a6821c3d1155b4cc03fdd951feb68be9245dbcf2
SHA256e61c5d7070dc5d2eda2961f68f7681ff7ceedbff0ae791a3347d8c811731d864
SHA5122a3655a22c2f8ac190b5aa636410c359f8f9df5779f8c6ac8782d5d109da8fc353c680faaaf6e30a12cb068c9c90c2f934b8f44a63ea07e041dd01427f14f9c6