6a3769b25b77ad2d587ce5c7a2fdd689b200b83b1121e42daa5eafd89453d361

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90e6856c7ebc92ffe04f96c82f3d5e46_JaffaCakes118.dll
Size

384KB
MD5

90e6856c7ebc92ffe04f96c82f3d5e46
SHA1

fb2d9d951dec500c61a21fc134038478a9c58030
SHA256

6a3769b25b77ad2d587ce5c7a2fdd689b200b83b1121e42daa5eafd89453d361
SHA512

4e04da4611fccbbe810ada5221e0699f24487817d7a44b4eed92e12fe0a4cec8edc43e54467eb2a6097fea402f15db91ca4694e906f9f92a523e2fdb6f84fc09
SSDEEP

6144:7YoYyqA8M7NFN9vB76uo0ar7G7FwgNJb/Icl5LmBvxT6DkxyAEUy7DTkkz8FAcce:R4Ad3NtB76uoSZbNek5LmBZTVy7DTWFi

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2060	B0D8.tmp

Loads dropped DLL 2 IoCs

pid	Process
2512	rundll32.exe
2512	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	B0D8.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B0D8.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2060	B0D8.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2512	2556	rundll32.exe	30
PID 2556 wrote to memory of 2512	2556	rundll32.exe	30
PID 2556 wrote to memory of 2512	2556	rundll32.exe	30
PID 2556 wrote to memory of 2512	2556	rundll32.exe	30
PID 2556 wrote to memory of 2512	2556	rundll32.exe	30
PID 2556 wrote to memory of 2512	2556	rundll32.exe	30
PID 2556 wrote to memory of 2512	2556	rundll32.exe	30
PID 2512 wrote to memory of 2060	2512	rundll32.exe	31
PID 2512 wrote to memory of 2060	2512	rundll32.exe	31
PID 2512 wrote to memory of 2060	2512	rundll32.exe	31
PID 2512 wrote to memory of 2060	2512	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e6856c7ebc92ffe04f96c82f3d5e46_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e6856c7ebc92ffe04f96c82f3d5e46_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\B0D8.tmp
    C:\Users\Admin\AppData\Local\Temp\B0D8.tmp
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\B0D8.tmp

Filesize
328KB

MD5
d25c97a4ae91833755d7cce300c76cc8

SHA1
51c36df9c0cdd6d055571de7ff1e9701273f6c2a

SHA256
88ade797b3b5547cdccce111b085e2f691454a7f36f38482e1a61385bfc685f0

SHA512
d4464ab96ad96de1a177c29600b1645103a20d3446607a837fd69701de2426240e743b747a313b5b15ae1ef5bafacbcb36167ad4494609252e31cb3e0fb9e1df

Download Submit
memory/2060-15-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/2060-17-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/2060-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2060-19-0x00000000002D0000-0x0000000000318000-memory.dmp

Filesize
288KB

Download
memory/2512-0-0x0000000000130000-0x0000000000190000-memory.dmp

Filesize
384KB

Download
memory/2512-1-0x0000000000240000-0x00000000002A4000-memory.dmp

Filesize
400KB

Download
memory/2512-4-0x0000000000240000-0x00000000002A4000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads