Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 22:32
Static task
static1
Behavioral task
behavioral1
Sample
4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe
-
Size
20KB
-
MD5
4a4f647bf595b8c3ca29a46d4ec4189d
-
SHA1
c3094a79b41b696b7bbdc5515411bf5c07fc2763
-
SHA256
659cf29395cef49c1410e4ad21d9735a25a8dc77d7a3f5797e9d1f9b9967723f
-
SHA512
c474215bed24414ea5c3a2164057f78aa661c9bef547f48b0bc4f1f860024d61c7133cf67f3e69b65e2cd9a2ade3e37cf965aca9abb11e8148d2dd36053d80b0
-
SSDEEP
384:APScc4sQ9nBx8XllEsil4/ThSwuwfd04d9CjRCblGIzX9Ilm0FO+MNyjD7G4rSX:APcImJilC5BdcjQG6XBdXc4
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 IEXPLORE.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4300 set thread context of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1020 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4300 wrote to memory of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84 PID 4300 wrote to memory of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84 PID 4300 wrote to memory of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84 PID 4300 wrote to memory of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84 PID 4300 wrote to memory of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84 PID 4300 wrote to memory of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84 PID 4300 wrote to memory of 1020 4300 4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a4f647bf595b8c3ca29a46d4ec4189d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1020
-