Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 14:57
Behavioral task
behavioral1
Sample
835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
-
Size
456KB
-
MD5
835fdcf01a2f280cf74b676001f12ad7
-
SHA1
0d2ed97b30ec20e83e0f4ba04722fa12f863505d
-
SHA256
bf786053e08168b8454d21562472aff64d75ab9248a5f721d0484c4fb35d5a64
-
SHA512
e12e34652778b75335c67005b560e5fe4dd0f9faf9e3f425cb472ab3052c63b58bd95e87e03b128298d27a532a3c773e81c74370344c3af18200db9b8a8b0247
-
SSDEEP
12288:QSoGZKu26s2vEZZH+MJyVg5Qy5sZ0kVd3dffu:Q3GZKu2N2vEZZH+MUVqjyZFNfu
Malware Config
Signatures
-
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 65.163.161.230 Destination IP 129.82.103.79 Destination IP 169.146.191.18 Destination IP 158.106.52.64 Destination IP 147.21.23.9 Destination IP 64.132.57.20 Destination IP 136.242.11.73 Destination IP 65.173.99.98 Destination IP 128.227.128.254 -
resource yara_rule behavioral2/memory/1248-0-0x0000000000400000-0x000000000051C000-memory.dmp vmprotect behavioral2/memory/1248-2-0x0000000000400000-0x000000000051C000-memory.dmp vmprotect behavioral2/memory/1248-6-0x0000000000400000-0x000000000051C000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe 1248 835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\835fdcf01a2f280cf74b676001f12ad7_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1248