2ed231243932fc7b90845379d25421be606f2b71655c2e854e62ee25fefb9fbb

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe
Size

686KB
MD5

90f1bc2840596a48305f7ca1c8fcd974
SHA1

5bbb4830243d7dc35b1352397a2712e6ada98d08
SHA256

2ed231243932fc7b90845379d25421be606f2b71655c2e854e62ee25fefb9fbb
SHA512

5e6ca41befa456e92a1467a05a3ea8502f17dcc32b44ab30b55f5aee11611410facc615b5e868c2200d9cd9af1e87feaabe4efc29e97f55be984d6dc7710ddb1
SSDEEP

12288:3mEBTASggJMutz4hDhFEouFeED0NO3yEU8m/udmipauZZZZ37nvEo8uICH8WQpXi:5BTNJMuJ0NovlbSWcXPQg/ooo3/VMI1p

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

pid	Process
4044	90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90f1bc2840596a48305f7ca1c8fcd974_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eIntaller\332A119364AC41efA0F630C430E767CD\Config.ini

Filesize
293B

MD5
63781cc25c19aa019c11836995cd6d75

SHA1
04dd038cadc82e63083e8a880cab04af9ee6d68f

SHA256
4787aab2092773a86afe852d5c77dca17a7a2eddaf9172ec5f15afa3484a6c32

SHA512
95f8b4dd2dd55922e1610ad980770442b274eafc1f310b0f13dec01d9c182917ee372e89d8b7aabe38a193e32cc2ddf5a7a047760c2832bd2afd90d600948025

Download Submit