Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 23:17
Static task
static1
Behavioral task
behavioral1
Sample
4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe
-
Size
114KB
-
MD5
4f8f4837532efeaea3e91ca74b464a30
-
SHA1
53c7a8aaae2f3c55cf9550de5ba4663e001f667d
-
SHA256
6480fbf1471d7e15eee5c76993e1c05de0e81c5f522d12ef7efaa3a33df03b62
-
SHA512
bd4beb10c0c8d9602b9da66df37f003ca79d7ab94f3f93de8d8513947523fd8bea36ef38f1836a1451f362394f9b1140cfeb818cf80d02a56a31f85dd13c1350
-
SSDEEP
3072:RIaKpjmptbfyAdwdzYM+erE9NYrbAV0p:tppfCYx9NYrb
Malware Config
Signatures
-
Unexpected DNS network traffic destination 15 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 63.251.129.1 Destination IP 207.126.105.146 Destination IP 165.254.12.151 Destination IP 210.144.5.163 Destination IP 207.126.105.146 Destination IP 165.254.12.151 Destination IP 207.126.105.146 Destination IP 210.144.5.163 Destination IP 64.30.227.206 Destination IP 207.126.105.146 Destination IP 207.126.105.146 Destination IP 207.126.105.146 Destination IP 63.251.129.1 Destination IP 207.126.105.146 Destination IP 64.30.227.206 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe 580 4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f8f4837532efeaea3e91ca74b464a30_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:580