Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2024, 22:07

General

  • Target

    4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe

  • Size

    600KB

  • MD5

    4f4895f86b7a1c708892711e46132e3d

  • SHA1

    62a7e6ffd1478d7363105923ef6b99d9a65a5c66

  • SHA256

    c5e685dd65228c0237e01b5467333f08b7de33ee15b320b6b21f687b6c8c564a

  • SHA512

    55f70b90ebc72df90007c8db3c8033f484a6ff5842be4d3ba2973ffbaddce33fc1d22adb965d424a0887fe257cac7cdec4279f28a757f208b47c711ad714941f

  • SSDEEP

    12288:k7l4s3shTJBJbI3HfaiDX29J5FB9i727cgWjaGJkAuR7VUSFNu:kGs3qTZbIXiiX2H5XS27c7ZkvBFNu

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 33 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4f4895f86b7a1c708892711e46132e3d_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1180
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3224
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1908
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2696
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1876
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32\aaad.exe -i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2280
    • C:\Windows\SysWOW64\aaad.exe
      C:\Windows\system32\aaad.exe -s
      2⤵
      • Executes dropped EXE
      PID:5116
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4304
  • C:\Windows\SysWOW64\aaad.exe
    C:\Windows\SysWOW64\aaad.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1040

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

          Filesize

          208KB

          MD5

          326c38b450d4e8e00968e0b1f6470401

          SHA1

          56ffac17a189af0302346b829797f72d5d4658fc

          SHA256

          7163befb152d3924597568f5a010d855e1ced00d26b7eed3d367bd55bd3459f0

          SHA512

          462ec813832c05ba78d345ea09397e27f8630739d0e5f81f7ea5adf345c4eabcc59e4d0dc3d504cd7beb670bfac7ea863c5449e04fb1f50c559df0710ebe98fe

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

          Filesize

          376KB

          MD5

          60845b09acf8516709e44fe3a05ef6a5

          SHA1

          1b837b76a6fa7a9c05fb9cf0150ff1d27c3a46aa

          SHA256

          82a4598ca45690f241bcd0282675f4bd5bd3dc89e8c360c74452ec1c039d72f7

          SHA512

          5a34e4c18e36614c29029757e48b30452978c6620664605c878c15acebc6fa75ada9bae89bf6e860ea8e62a4ceb15d8583fe33bafc1312b74549fa4a35ef5d9e

        • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

          Filesize

          116KB

          MD5

          d8933fe3737dc8279462b9f16a6cb8b7

          SHA1

          3c961e43b52b3fee3f1b471cad2faa6a450e7a62

          SHA256

          e571256bdf9d2ed71fc8aebb1b37af1256b6dbe9790034a9af95e3aa2a023004

          SHA512

          66feb528794ef0416951a460ab5c934d1398fcc78a513d3ad6f0aa9de56403c5231855d3c23cef238f1b85f9370fe0d726e385aa0da449f66b1a665fefc4f1be