Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 21:50

General

  • Target

    4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe

  • Size

    488KB

  • MD5

    4a2be3af52f74b5f5120b8431e5610b8

  • SHA1

    397f18e3d2a592bf479d35c82e7a76a5d3391967

  • SHA256

    b57fd996f2bcb3d3c09ead04b388a9fc619018985e26be74a65efbb4487462e2

  • SHA512

    2eebb9f8f4b041599e4b17156b3fba377b36a2bb08bf0f7b78b503bcc7c34a53cb2fcf3fceb1efb3cdd24e82b00a9f4f24eaeed6caa5f348a4be5d84e54a1448

  • SSDEEP

    12288:T33Q9q2bGUVa0eJqj6ACNTuihvSlqP37lCMtB64zg:T3bcGUVZeJWUNTThqIP37lh/fzg

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 43 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3068
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2248
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2104
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2192
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2816
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32\aaad.exe -i
      2⤵
      • Executes dropped EXE
      PID:2920
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32\aaad.exe -s
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2764
  • C:\Windows\SysWOW64\aaad.exe
    C:\Windows\SysWOW64\aaad.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1064

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

          Filesize

          151KB

          MD5

          03e9030cbaf4175994fe67f84b1f155d

          SHA1

          767c1368adae868841650ecf87951d2251bc3c96

          SHA256

          7d274b8adfa036a114a2d34e747b42316c04c388b1f7d83d3c4de50f8b2a8ad1

          SHA512

          94210245c58b71b8237ebc17aa95b7b61bf41cd9ed3aab5cf9b4cfdf88332ee4c0cdc218af354ea6e9392034b9c3c862ca16cb6bacd144f107358bdd2f4a3ea5

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

          Filesize

          265KB

          MD5

          19b3792652d33d6719232035fca1d111

          SHA1

          14b676a104d9e8bf889978d599e0a786e2486035

          SHA256

          fb01aeaab52e658cdf929c14f73dec26285b1a2258e852787e712628d12dccac

          SHA512

          18ecbb45591f129351eca106e847f7e5a1ad803b48b069b97b1b09108d4c1de8c16785255ec65a3b974f217c5a3d5307852042d51ed3a10fc7d78fbef75cb835

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

          Filesize

          64KB

          MD5

          1df34f9eff7aef89bec15427fb63f232

          SHA1

          6e243da7d8f72ca670f36d337fb5a510074d1c13

          SHA256

          f401573e17067a7036e352fd4d6c6bec831f31c4c4d5cc0313f9ec9406136c59

          SHA512

          daedbf20868a531062418d30a865e82e63b7ddb1b87a27c89143e954f01659856d83101bd3fae43f1059c8e436e051b81c125249d4ad1a85c4b0d62c5530899b

        • memory/1064-90-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2328-54-0x0000000002200000-0x000000000221E000-memory.dmp

          Filesize

          120KB

        • memory/2328-59-0x0000000002200000-0x000000000221E000-memory.dmp

          Filesize

          120KB

        • memory/2584-73-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-121-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-131-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-175-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-95-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-98-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-171-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-169-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-100-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-101-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-170-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-104-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-106-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-107-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-166-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-110-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-112-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-113-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-117-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-118-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-71-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-123-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-124-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-128-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-94-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-133-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-134-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-137-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-139-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-140-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-144-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-145-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-148-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-151-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-150-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-152-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-155-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-157-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-160-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-162-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2652-163-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2652-167-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2764-109-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2764-103-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2764-97-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2764-88-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2764-89-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2816-45-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2920-61-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB