Overview

overview

10

Static

static

3

52db8262b6...18.exe

windows7-x64

10

52db8262b6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 17:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    52db8262b6fdfc265caa70b7aa6abd14_JaffaCakes118.exe

  • Size

    452KB

  • MD5

    52db8262b6fdfc265caa70b7aa6abd14

  • SHA1

    561ede3362c63dfe224dfe9f98544673bf9f293b

  • SHA256

    51904d5c59460a8d90236bee6cf28176de7c4ceb0b2e7abae2e5ad3ed4ce3bf2

  • SHA512

    c20e122280a5ded19e7c2f839c008f958852cbeedd939eace37dbc5fa3ac0c58a6a86f140ec065b80bf3cd17aba30d6f326daab71e77274f3d6b2453b4448782

  • SSDEEP

    12288:GLO+MJClrwmPuuqcor/1/4UkNpxWBulXZDCzAI:GLO+MAUmHbo1tkV4+CD

Score
10/10
bootkitdiscoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 15 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52db8262b6fdfc265caa70b7aa6abd14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\52db8262b6fdfc265caa70b7aa6abd14_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\atlop.exe
      "C:\Users\Admin\atlop.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\gvcoum.exe
        "C:\Users\Admin\gvcoum.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del atlop.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1360
    • C:\Users\Admin\bwsap.exe
      "C:\Users\Admin\bwsap.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\a.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2180
    • C:\Users\Admin\cwsap.exe
      "C:\Users\Admin\cwsap.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Rzz..bat" > nul 2> nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2336
    • C:\Users\Admin\dwsap.exe
      "C:\Users\Admin\dwsap.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2532

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Rzz..bat
          Filesize

          118B

          MD5

          81813fa4c78795237b6535d14a271ea9

          SHA1

          e5ad5a60cd264c5823a0546a4aaa3f037004b18f

          SHA256

          f6de6ecdc4833afd16c7526b9782b30da925fa532da05ef0033986d3869008e1

          SHA512

          5f6fa39e2c6cb42618f88319c640b9598046609c35d622196d3d225b8d4adfb7613b1fae672cad9de780f1e56b9610aac01cd1d3761a277c59ddd212e6b6ac39

          Download Submit

        • C:\Users\Admin\a.bat
          Filesize

          113B

          MD5

          49d6b96ecf3f7f4a0b2d683ebb21c852

          SHA1

          ddb1e7eb58e991538c7af65fb807b30b7aa34c9e

          SHA256

          17529ddc40da41a75333366b84b1a001fa4b57bc9e8a9ef78277ae0780ccd45d

          SHA512

          e4e500699ec50e969edc796e1eb334f2f3f40269a71a42c11cef6709c61b1b789770c76535f15b598e416e081279ea14cc2511c20087fcb3829b1fde42d24243

          Download Submit

        • C:\Users\Admin\bwsap.exe
          Filesize

          60KB

          MD5

          a1ec0e0b7ba6382f4a7ab696cd97be1e

          SHA1

          6dc5f7346be363c097a16b6306cfc8c91e859e60

          SHA256

          1749c9fb78d215dc3d49d9e850e3a18f734e7cfc331dad8aa805c96ab2240b52

          SHA512

          a92ee5a4e087a234669860e1707abac99484988f137210270d109e43a9895c503abde3f3a49f314f7472f81a7ca6d23eb63df2ebc687e0e0b119fa7cf5a63bc5

          Download Submit

        • C:\Users\Admin\dwsap.exe
          Filesize

          121KB

          MD5

          2acc5ceb47acb798ae535daad48a6150

          SHA1

          f31dbe4e53c2c4683fc5074e59752c1ce0031a00

          SHA256

          697aa03bfe6922e88d96bb72b5a1d90d8206a9c8e050e5ca4e41676f6d72d5e4

          SHA512

          dda965b604fdbb5e629f18c0f8c3a0822ef3d07fd1ec1fc051412bace9c93c61885f824149ac3009adad73016cf16bd97dda5a67dd72ecfb056ae9642c00576c

          Download Submit

        • \Users\Admin\atlop.exe
          Filesize

          268KB

          MD5

          08cce3f3b08395b0188f6581d3f67cee

          SHA1

          f3db5f2fbbf5e3e06e50920eea8665cd6840e7ef

          SHA256

          97531a3cd8aff7520e4cad53927bc2abdc046a4f1e052bcbe0aecc574d2c6e63

          SHA512

          231b82a579f20831a025035d2e0c094eb1c93206bee5bef95dba53c0d017a1ac4069631c08cadd4d5335b8c507b27b2c64468d1cf577d85c290b7ecdddbda682

          Download Submit

        • \Users\Admin\cwsap.exe
          Filesize

          214KB

          MD5

          357bce01eddac462ffd80a0032901667

          SHA1

          fc9d8843b3db02570332558c72e4fe8530f4c76e

          SHA256

          b3b5b3894f59b2c85e00f25cbd55cf290cb31908479dcfc8008258b3d3e03680

          SHA512

          0738a133f0cd3b3a355e0a630ff29c19fe794588ea8361cd8b3ec4f440d417a0d71bf935a02b1a2c7bf2f072ff1d9fcf9f0ebe99666d5395aa77c9440fdd6d43

          Download Submit

        • \Users\Admin\gvcoum.exe
          Filesize

          268KB

          MD5

          dc18c09654799aa06610c6cb863db544

          SHA1

          e0202c370281825b3065bd63787fe3fa92477b4b

          SHA256

          59f5425ec590afe34f8a57599b5210330653e219f128f1da372fae7567752945

          SHA512

          8cc9eedf3060ef6d8d61b0d1f0c106733c29bfdd2d7c0fb6ff1a982bbad24d220e75a88cc1354158006250f328ef924b6d1c8165a5bade1744299dc7059c3ef7

          Download Submit

        • memory/1320-75-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/1748-53-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1748-52-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1748-51-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1748-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1748-72-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1748-48-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1748-46-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1748-44-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download