Analysis

  • max time kernel
    148s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 21:50

General

  • Target

    4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe

  • Size

    488KB

  • MD5

    4a2be3af52f74b5f5120b8431e5610b8

  • SHA1

    397f18e3d2a592bf479d35c82e7a76a5d3391967

  • SHA256

    b57fd996f2bcb3d3c09ead04b388a9fc619018985e26be74a65efbb4487462e2

  • SHA512

    2eebb9f8f4b041599e4b17156b3fba377b36a2bb08bf0f7b78b503bcc7c34a53cb2fcf3fceb1efb3cdd24e82b00a9f4f24eaeed6caa5f348a4be5d84e54a1448

  • SSDEEP

    12288:T33Q9q2bGUVa0eJqj6ACNTuihvSlqP37lCMtB64zg:T3bcGUVZeJWUNTThqIP37lh/fzg

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 33 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1580
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2008
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:768
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2748
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2724
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32\aaad.exe -i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3132
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32\aaad.exe -s
      2⤵
      • Executes dropped EXE
      PID:1540
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2260
  • C:\Windows\SysWOW64\aaad.exe
    C:\Windows\SysWOW64\aaad.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2908

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

          Filesize

          167KB

          MD5

          6604017b97723459582278f29adf20d5

          SHA1

          6eec88c892a29bf10d20692b08561d74406e2e50

          SHA256

          d887f632b8652be987072fc87a418edf75b9bfaf7482976815b10b0cef7f3754

          SHA512

          4f6f9f02be6c6e244965238e0fdf191eeaafd1690b5e669b22f0064d67cb1128150b49ec691f58896d91439f81570f2467e4148147a3fbfc727148193eb526aa

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

          Filesize

          281KB

          MD5

          8b648c94ec827c3424a2521364186891

          SHA1

          550bfd17903727aa4add841f27d4d9bf54377897

          SHA256

          c86d1230cd214571b3350c6db2a5f57083b23119feadaad9db388e666bfb00cc

          SHA512

          0564dd66eb92259f0594b83e2aa5f555751a1ee20ed39d12662c0ce13f95bc5860efa6807ac2035232a4bb46781e14c36d7acc5ea4db9fa1b893b4cec803b857

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

          Filesize

          156KB

          MD5

          828ccba7ef24786cd58e94d15846a0c7

          SHA1

          1c0029ca95356f7cbc77e2a8c2954777dc22b48a

          SHA256

          12fb77c027354c279cad3dc9ba03bfbe75c2c2756c9d45be6a57e0e2378f48dd

          SHA512

          3adc2abddb2e1bbc7776a8abf9772cf100800d4c48bc193d5d7ceb2b8141ef0203a8868248995ee311ad0cc8c3561aa21fc98fe66ee8ddc50c5d4281299ed5cc

        • memory/1540-64-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/2260-73-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2724-47-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/2908-81-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2908-93-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2908-75-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/2908-88-0x0000000010000000-0x00000000100B2000-memory.dmp

          Filesize

          712KB

        • memory/3132-57-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/3132-60-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-91-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-109-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-85-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-86-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-80-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-89-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-79-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-92-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-71-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-96-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-100-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-104-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-105-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-83-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-110-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-114-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-117-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-119-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-120-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-124-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-128-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-132-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-136-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-137-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

        • memory/4032-140-0x0000000010000000-0x0000000010026000-memory.dmp

          Filesize

          152KB

        • memory/4032-142-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB