Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 16:05

General

  • Target

    837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    837b3ee12cc0ddd81bfcf0c7b57e3dfc

  • SHA1

    70612835e9d261454200ce963af55bb553b8b486

  • SHA256

    e356e0ab1bc38eac26f1e4caea3acae40f70b910a961555ae1c6ffa02a4d20a8

  • SHA512

    7df022a6445e09d52c39c717ebc3b77b3201beb2ab09d8c0aea4cc88f4253a708fa63949d27d21f04626fcdbc33bbd6293e3248f792adc7b769c6cec0d8ccca0

  • SSDEEP

    6144:xpMt2bRtHVlAKFMFkBiCl1zfWbq4iofuz3rWrthaU1m4R0a6LD:xpMt2/H/Fxi+1z0q4NWz7Wna

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\837b3ee12cc0ddd81bfcf0c7b57e3dfc_JaffaCakes118.exe
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\your_exe.exe
        "C:\Users\Admin\AppData\Local\Temp\your_exe.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\your_exe.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2820
      • C:\Users\Admin\AppData\Local\Temp\1281085013.exe
        "C:\Users\Admin\AppData\Local\Temp\1281085013.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2688
      • C:\Users\Admin\AppData\Local\Temp\install.48596.exe
        "C:\Users\Admin\AppData\Local\Temp\install.48596.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Zxp..bat" > nul 2> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1912

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\domain_profile[1].htm

          Filesize

          8KB

          MD5

          e13dc56e321e22d0cd5dd7334ea994ce

          SHA1

          135c2d6c420e891b6132671dcf59c21579096789

          SHA256

          0a5ea53bc287ecb32d41eaa6bf3cd6aea27bfeef0c0f65ed04362e58dad3422a

          SHA512

          8cf29a3426b8201928f26ae5bbf2217a44bad3fef82cb2d9abffa0382d82e8f3b800b70c419083e1001e4b2d5f688768218184330bd570f3eb211a57b026de96

        • C:\Users\Admin\AppData\Local\Temp\Zxp..bat

          Filesize

          172B

          MD5

          c33eea8a46d07a704cb779c6dc84c12a

          SHA1

          649151c6d4416f693a74857693e16e2195fb2d7c

          SHA256

          3568407aa5d11fb1219fc6f1e4e8f4d90acef87a178cd886b2b379f7279de3c5

          SHA512

          5171f18a5fde3a37877f35ac4dc1715428754c35b4ea3a1d2d3646c7ddebc2b7ae38d03af4146270d70c4274895c74fbfa1d43fb152532b4cef01ce1841f7350

        • \Users\Admin\AppData\Local\Temp\1281085013.exe

          Filesize

          92KB

          MD5

          73ab199d7ab02007c908122e892ca1c3

          SHA1

          01614a27abc6a64ed6479ca2f6596b8b6d2d31a6

          SHA256

          3d0932127b9ae4643a8040b11deff670ce00844a0a4dc9bccc2cd6f4c715cd5f

          SHA512

          b506ad5d819d4d289148a91c5905cf9e65846c2a4a7f1f51585218728f54dc334c605df5d434f2c97e1bb353d6ec737fbbd3ba7763be107c969a0ff2de7346fb

        • \Users\Admin\AppData\Local\Temp\install.48596.exe

          Filesize

          129KB

          MD5

          4eea964cf5ee8eaaa4561798f69ed259

          SHA1

          f6fa8f310f8a439941acbeb25d3653c8cd130318

          SHA256

          3f9ea9e74b1a280508dacd0312b144b1c44d6f08077783656dd45f1b0df9144f

          SHA512

          96d080102bf3e99581b4e8dd98e40174a0709bb237ff042b869fb404ad24ebc4b74e33844bd10c378692c561298dafa346577094b6ae763e5e3740b8c6fb4b20

        • \Users\Admin\AppData\Local\Temp\your_exe.exe

          Filesize

          22KB

          MD5

          75ecb408da996d0d7f33dd77f6eb1c9c

          SHA1

          b836e9125bd643358bda960e50637a8ea172b495

          SHA256

          fa8652151b8bb6daeb86b97c5c705886028e587a5be366e0c228849c9bcbd078

          SHA512

          f9933923ccfbc04ddb95090a78698737355128aff01fd2713a1cd029c5c32bc37d29c01714c663eaa89ca604efdd80b16a27ec8ed7eb2769837a7130fa7bbccd

        • memory/1720-6-0x0000000000400000-0x0000000000449000-memory.dmp

          Filesize

          292KB

        • memory/1720-8-0x0000000000400000-0x0000000000449000-memory.dmp

          Filesize

          292KB

        • memory/1720-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1720-16-0x0000000000880000-0x000000000088D000-memory.dmp

          Filesize

          52KB

        • memory/1720-2-0x0000000000400000-0x0000000000449000-memory.dmp

          Filesize

          292KB

        • memory/1720-37-0x0000000000400000-0x0000000000449000-memory.dmp

          Filesize

          292KB

        • memory/2688-45-0x0000000000F90000-0x0000000000FAB000-memory.dmp

          Filesize

          108KB

        • memory/2772-27-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2772-23-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2896-44-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2896-43-0x0000000000250000-0x000000000027C000-memory.dmp

          Filesize

          176KB

        • memory/2896-87-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB