6133595b57c88c017f35c670251425f4db837c7efd15d5de260db29da64f26ea

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
Size

1.6MB
MD5

8457c46d0f4eb3d95356d3d5f27d3a9d
SHA1

f81a43979fd664d820d136cb0731180b7edf7230
SHA256

6133595b57c88c017f35c670251425f4db837c7efd15d5de260db29da64f26ea
SHA512

9ce831cb5bff53278ed4a71166704628a2b676aa9a4c612af883c742948286089292aac8f6d9b7d01d620a7ca13e57ecf0dbbf7ef5d0595fc16464a5920cf3db
SSDEEP

49152:NZcX0JOG8smOxRUnTn14a93CMWRVQyVeLsduKLiwum:NekUG8smOPUnTn14ICpLQykLeuKLiU

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Loads dropped DLL 9 IoCs

Processes:

8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

pid	process
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

pid process

2724 8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2724 8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

pid	process
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
2724	8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8457c46d0f4eb3d95356d3d5f27d3a9d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_N4\EAPI.fne

Filesize
328KB

MD5
cbd788f4c71b9776660d6e8473ae0e09

SHA1
0189cd47bfa5d1cac0d7f1a33953d279f60b02bf

SHA256
db0a6d7b75503daaf93c8e62ce67abd3afd57daaef4a448ec25a43d1de69e47e

SHA512
84bc02c67e3a3a9f77418b25afe7ec55e5bb5ca5a6c05503d94dffa57a30c7608e79bb4f83fe91c39ccce16872df2b3f9e7e5a8eafb4f563b1f961b93e9b8c94

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\ESSLayer.fne

Filesize
104KB

MD5
9812f11ad717a56e1b28d863b455bef6

SHA1
268931ec7f8d235d0fb5192113e0b5690169e64c

SHA256
bd4e8bf3c7b37bcb83ebaaa4532466707ae5746b9ec88708ae1e45aa6a4b8e4a

SHA512
9f1382352014f6fbfa96a9a1afdb7b77b31dc3fd264953c6d0be99cc3e2435923719302517066f80e3a21733dd3c2679b8f354d0626cec463971ea71188dd552

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
4c9e8f81bf741a61915d0d4fc49d595e

SHA1
d033008b3a0e5d3fc8876e0423ee5509ecb3897c

SHA256
951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129

SHA512
cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext.fnr

Filesize
216KB

MD5
cba933625bfa502fc4a1d9f34e1e4473

SHA1
5319194388c0e53321f99f1541b97af191999a09

SHA256
25549c7781b3f1b92e73b0ea721d177207cce914a66f3229a71291f2eb160013

SHA512
f5fb4b97c4f68a20e0847e6528740ce659c4501726f3b2dff1ac83e88a3b7198099da03edb0f069cd4af7ed568a2373597b235cd239895addfa5226d3a444142

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext2.fne

Filesize
460KB

MD5
6eb20bb6cafd6d31e871ed3abd65a59c

SHA1
ae6495ea4241bcde20e415f2940313785a4a10d2

SHA256
2b3fe250f07229eaa58d1bc0c4ac103ba69ad622c27410151ce1d6d46a174bae

SHA512
562edc1f058bc280333a6659fceb5a51b3a40bea7aca87db09b0cc1ca1966f26f2a7e4760b944e2502e20257544f85cf9c32f583f1dec06271a35dcfb8fa90f4

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext3.fne

Filesize
380KB

MD5
07f0db2727c8288cd2cf7c4cf352708d

SHA1
caf2d1b631c785c1f6f01189cf841fc2661666ed

SHA256
3c18183857979a2b5664d3f852f74e3f31f0626720654914453e964938e18f5e

SHA512
b81029a2968663a180feca2e3e47f4736f87a7cc73e6a9153aa227b91d963e077f44c5a289b9f64d6b481b7bd5ccb4bcb762048a4f29810c1f4fd4e6106cb0d3

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
192KB

MD5
0503d44bada9a0c7138b3f7d3ab90693

SHA1
c4ea03151eeedd1c84beaa06e73faa9c1e9574fc

SHA256
7c077b6806738e62a9c2e38cc2ffefefd362049e3780b06a862210f1350d003e

SHA512
f14dfa273b514753312e1dfc873ac501d6aa7bbd17cd63d16f3bcb9caddcb5ea349c072e73448a2beb3b1010c674be9c8ad22257d8c7b65a3a05e77e69d3b7a8

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
memory/2724-11-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-33-0x00000000025F0000-0x0000000002634000-memory.dmp

Filesize
272KB

Download
memory/2724-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-23-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-29-0x0000000002460000-0x00000000024E3000-memory.dmp

Filesize
524KB

Download
memory/2724-0-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/2724-25-0x00000000020E0000-0x000000000214F000-memory.dmp

Filesize
444KB

Download
memory/2724-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2724-21-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/2724-37-0x00000000026E0000-0x0000000002718000-memory.dmp

Filesize
224KB

Download
memory/2724-16-0x0000000000401000-0x0000000000406000-memory.dmp

Filesize
20KB

Download
memory/2724-17-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-44-0x0000000004D40000-0x0000000004DA1000-memory.dmp

Filesize
388KB

Download
memory/2724-3-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-48-0x00000000046B0000-0x00000000046CE000-memory.dmp

Filesize
120KB

Download
memory/2724-51-0x0000000004EB0000-0x0000000004EEF000-memory.dmp

Filesize
252KB

Download
memory/2724-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-54-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2724-59-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download