Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 02:39

General

  • Target

    4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe

  • Size

    423KB

  • MD5

    4b0fae714497cb3a60037e8f543d8ae9

  • SHA1

    8e53ff1ec3abcfe5cff2fe45c5feeef24a4ec918

  • SHA256

    829e8c5cb3aa8455f983872bb992e2e92966b940745e597c10742258c10b4173

  • SHA512

    c75e9b46087bde983bd56dfa88d2d706e0d135b487e9689c9cf2a05df97067771b6d81cd920c879fd2f604f545f8d1fa0308fa83d00ed80099f1a55088ae4b5e

  • SSDEEP

    6144:csgZ0IeJo5wTNxC5yuQJjXOQbJJ7TN26lELeuWcr+KYJccBWRXTH:MZ0254rucLJnlYeirGBBWRb

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4b0fae714497cb3a60037e8f543d8ae9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\ProgramData\37wan\wy\wy.exe
      "C:\ProgramData\37wan\wy\wy.exe" /autorun /setuprun
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2700
    • C:\ProgramData\37wan\wy\wy.exe
      "C:\ProgramData\37wan\wy\wy.exe" /setupsucc
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2752

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\37wan\wy\lander.ini

          Filesize

          381B

          MD5

          fe609059a9a3871184f86b1825599c19

          SHA1

          16e1a7b1381c9bd3aa78aa416db8d1429706e53c

          SHA256

          517ae79c2ad9cdb10c82186be1166bde73d5872b9cb25e1eff21a677c64d8d5f

          SHA512

          11a76fde21c90f110ecf22adb9243c2dd796cd6f789a2efd8bec2d7993d47b7f53474e25b19451cdf556c4e9436d0c299582d8e08ea78433c0ffc05a9f2d01d6

        • C:\ProgramData\37wan\wy\lander.ini

          Filesize

          393B

          MD5

          d218c8f7335bbae0c2bf07b9b4f784f0

          SHA1

          5b7b513ca3e81c167ccdfcac615295056cfa2dee

          SHA256

          3b0eabe6f8e72e8490ef064587dc81217401c6a2b01ed511bbe77603447d722c

          SHA512

          99fda78be5f94ef8616ba126557f17609a731768cde7ca53df5740a7ad56841baf587b29649f5265836bf992671cd02a31ff99b8e86ec2c6d75a374e3d2e9d0b

        • \ProgramData\37wan\wy\uninst.exe

          Filesize

          64KB

          MD5

          c1c0b7d9d1c3774db756dbf800fa7e96

          SHA1

          4ca05b1e96bf3045c6361fa743f4ec0ccc6f625c

          SHA256

          02308440ae87d5560305623ff4e4e9296cc36e565bc3d4a209d51952bfb3b3b5

          SHA512

          70d8b1ac41f59d5a829b5f54c6b7e01036026915e3beaf7bcecbde95e54974ad4f1e1bc8497db3d55e20d87436b98b1e25c6dc03a8c8e786e30e6845d277dfde

        • \ProgramData\37wan\wy\wy.exe

          Filesize

          1.9MB

          MD5

          b18c3fbda7f860cacd7009ca0b0a50c2

          SHA1

          2a5ee5d73b29dc2e072b25192acdf18931acc1c8

          SHA256

          5850211530459f873ca0310c2221e113580ddc51bc2a211fd5d62d3c1f9834eb

          SHA512

          c9bb7421c001d45f2362199b2ec6f6cd7f0a59a62ecbcd870212f32f2e2f9e21b95ccaef5ef085737bf94229f404c3e72146bfa49de69a2714593158658ef667