Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 14:57
Behavioral task
behavioral1
Sample
835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
-
Size
456KB
-
MD5
835fdcf01a2f280cf74b676001f12ad7
-
SHA1
0d2ed97b30ec20e83e0f4ba04722fa12f863505d
-
SHA256
bf786053e08168b8454d21562472aff64d75ab9248a5f721d0484c4fb35d5a64
-
SHA512
e12e34652778b75335c67005b560e5fe4dd0f9faf9e3f425cb472ab3052c63b58bd95e87e03b128298d27a532a3c773e81c74370344c3af18200db9b8a8b0247
-
SSDEEP
12288:QSoGZKu26s2vEZZH+MJyVg5Qy5sZ0kVd3dffu:Q3GZKu2N2vEZZH+MUVqjyZFNfu
Malware Config
Signatures
-
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 128.192.1.193 Destination IP 209.64.210.34 Destination IP 216.54.204.186 Destination IP 192.55.87.207 Destination IP 207.231.129.132 Destination IP 128.227.128.254 Destination IP 65.51.51.2 Destination IP 147.21.176.130 Destination IP 130.94.124.174 -
resource yara_rule behavioral1/memory/2440-0-0x0000000000400000-0x000000000051C000-memory.dmp vmprotect behavioral1/memory/2440-1-0x0000000000400000-0x000000000051C000-memory.dmp vmprotect behavioral1/memory/2440-5-0x0000000000400000-0x000000000051C000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 2440 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2440