Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 04:18
Static task
static1
Behavioral task
behavioral1
Sample
4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe
-
Size
124KB
-
MD5
4b5dd0a8e1e48930928f314af1dac093
-
SHA1
5f21801d12551623f519a206e45a229286c5eca2
-
SHA256
666ba761b6c3568e4d501f44e9e92af2b8b54754eb4edd0fe149ae3080117dbd
-
SHA512
dc078d4345f60facbbea42cf2179fbee6a177078ff2d05c459b9d69c62db3127154510f2d31b16899dfddff7ba12273db16fb68205066adf4382ffbb3b6a7ccc
-
SSDEEP
3072:JADbdFWO9U4uV0rtylw/UpqyhEs7F1wAIY2Zpfl:ObKOGpirp/UZh974fjt
Malware Config
Signatures
-
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.155.0.68 Destination IP 202.222.18.86 Destination IP 141.155.0.68 Destination IP 209.233.180.3 Destination IP 202.222.18.86 Destination IP 217.174.99.70 Destination IP 211.45.152.64 Destination IP 209.233.180.3 Destination IP 211.45.152.64 Destination IP 217.174.99.70 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe 1004 4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b5dd0a8e1e48930928f314af1dac093_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1004