Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 14:23
Static task
static1
Behavioral task
behavioral1
Sample
834440250afb792fdfce78de4da1feea_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
834440250afb792fdfce78de4da1feea_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
834440250afb792fdfce78de4da1feea_JaffaCakes118.exe
-
Size
2.4MB
-
MD5
834440250afb792fdfce78de4da1feea
-
SHA1
9d53dce501915a2adc8f55a394c2671c090c6d7d
-
SHA256
e3772807cb8a20f94b491000e85db091cfdb5e4b61e079267ddb06e5fc450481
-
SHA512
691313abe3cedb16f03288bd8b9acab9b79098e0cc1687dbb12277ccc0a9ea9d8f691e3cd8f7864f89db2a8e27c9ce8d5c23bbed8c8f9fef403b9e7eb4b3e607
-
SSDEEP
24576:BKQkU1JtzJPsYh1wcCS9JcEB/pGXHSBa2uc+Kc1Psq0eBMhwc3QnKOy1IA+/v2F:kQkUbPHlxLp6bxzPsvyyiA+2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2420 1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"F:\\msdownld.tmp\\IXP000.TMP\\\"" 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe File opened (read-only) \??\B: 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe File opened (read-only) \??\E: 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2420 1.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2420 1.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2420 2076 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2420 2076 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2420 2076 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2420 2076 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2420 2076 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2420 2076 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2420 2076 834440250afb792fdfce78de4da1feea_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\834440250afb792fdfce78de4da1feea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\834440250afb792fdfce78de4da1feea_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
F:\msdownld.tmp\IXP000.TMP\1.exeF:\msdownld.tmp\IXP000.TMP\1.exe2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD501bdae497b2ba405a9aa65b279cea1eb
SHA1bffd0556f6fecadc29738189005026ac3fcbe39b
SHA25617a4f97930492697ed75a8e662ea9c6203552fe0e218ae51a0979652506d576e
SHA512b8f0b9db2ef66cb8fbc4a950799e660c4074ea1180782aa4872323f7a3f7f0e866a0696a4fad2eae94d4b7721268a7e39fabf0f930ed29e0af7725b4f8f52cdc