Overview

overview

8

Static

static

3

JaffaCakes...8f.exe

windows7-x64

8

JaffaCakes...8f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe

  • Size

    889KB

  • MD5

    8a5f051b4f28f1c1e11625ef65416e8f

  • SHA1

    4ba7a2254ae00713d6f68c93c6018401b0341df7

  • SHA256

    0674a9370b11490624738f77781ed6acec5485f5d5e4d5e76209ca99d369b325

  • SHA512

    1e1c19a551be9c8702b232ed21c1999e025240407ab0eefef6cb94498f699557d9d78958a54619e1c6122513614633a5c7690ce9cea1f8f439120af13413b0ee

  • SSDEEP

    12288:KDMZ2UOv2HCCVIiG6bmp6wyNBUJmHDrRfk9qKv6a+cN8Lf1VMNc:zZm+LG6bmp6hNBUJmHD1gvBNKNVMW

Score
8/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a5f051b4f28f1c1e11625ef65416e8f.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5520
    • C:\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe
      "C:\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:5856
    • C:\Windows\SysWOW64\drInstall.exe
      "C:\Windows\system32\drInstall.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5592
    • C:\Users\Admin\AppData\Local\Temp\TTSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\TTSetup.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2112
    • C:\Windows\SysWOW64\gins.exe
      "C:\Windows\system32\gins.exe" /p-10611/-s4972/leoaedo
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4212
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.so456.cn/cjtest/conf.jsp?v=4&pk=10611&uid=xZlkRnktkreEU4eJMy3LHb91lI7FSYnF
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4536 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4596
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4536 CREDAT:17418 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:5600
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4536 CREDAT:17426 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2068
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.so456.cn/cjtest/conf.jsp?v=4&pk=10611&uid=xZlkRnktkreEU4eJMy3LHb91lI7FSYnF
        3⤵
        • Modifies Internet Explorer settings
        PID:5540
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.so456.cn/cjtest/conf.jsp?v=4&pk=10611&uid=xZlkRnktkreEU4eJMy3LHb91lI7FSYnF
        3⤵
        • Modifies Internet Explorer settings
        PID:3704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
    Filesize

    471B

    MD5

    4a326b4601ab30dfcfec12796d4473af

    SHA1

    fcc8ab255f002787a2f4756a6e7aaebc4ca0b5ff

    SHA256

    58c3470bcc9b953996e86f7741d7a6b1afe327c1c65788c2ef262c1beb6df10c

    SHA512

    2462008010263772ed24dbf2e6b9c002e29334c7529ddbc5f8272dbb41d5eb54dcc9556ade4dab79f32a10cdff67520882a5505f80dd23a752ea69407afd654e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
    Filesize

    412B

    MD5

    b889858a4ae4cc3420748cc86836d725

    SHA1

    983e956b96fef29e2967340d75a6bb0d3a79907f

    SHA256

    7112754a442c3d0dbf7dfa8d0d44963a3845dd9e5aea1e712ec2c25e67b6a118

    SHA512

    92802a417381f57af417ac3033d58d8860dd605584d746c5d672c88246eac854fc792e8fbdef445bb73eaa2bff72b7ffb6f949e4e2cc886ac74ef9f0095b0563

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MSRA1ROA\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SeMiniSetup_3170_1202.exe
    Filesize

    173KB

    MD5

    f7c61469c6f620345969e1654f3d8ce5

    SHA1

    25ef4a62e384bf53505b04b77078a7348e8849eb

    SHA256

    9f2aad3392eba89353494d3136e65435a37740a8143503b23e6fe55c27a3c84e

    SHA512

    5a0e127e78a29fb3f0d0c8935b590c0c702c5e4e1907e0dac969f79ff6a242deb1b2ef66144371a37bce8a99f611d8a3a88978f47e8f097feb3303434bc1c889

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TTSetup.exe
    Filesize

    87KB

    MD5

    9a19004a1ac13005b17a1a28732100a5

    SHA1

    0e6a8a911a1397154c4da68547432f2929d69718

    SHA256

    7a49567834a7868336b02fe25abd08bc4a47c29c466137d4e4b37db36006593e

    SHA512

    a7ef22d35efebb75b896a56e226c15343ead69576d805198add47cdf031dc548cc5116a4824015248bec9c9fe5db9fda18ace656a987acf409cc8fb30ca69423

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pyd.dll
    Filesize

    82KB

    MD5

    2a23408ebe5285f0a76850366ecf25f5

    SHA1

    d38ca629f27f150869d725663842c1af680a1ea5

    SHA256

    ccbc1ede8afc097b0ddc0b9fcd2d160856c35de77102c1cf5b5f37635d1ba9dd

    SHA512

    54a946897300ffa3588abd30bb3d850f5ec55283a2dbae4ad8f19e1269361bac23228a1a0d881c4ff9c3df02ebe0b4048730b155a7e2d60c53ed6f66ef953991

    Download Submit

  • C:\Windows\SysWOW64\drInstall.exe
    Filesize

    25KB

    MD5

    635d1f8c9c39a393840df7f352c10c9d

    SHA1

    8514f914961d04b8429c36182e8dc28e2909e135

    SHA256

    d1a204e0aa9dd4feb37ae32eac96dc89cd03be642c1b4a14fd5c95da463e4f32

    SHA512

    1acb5f84d0ba5f459963f2582acfffbb8335b83fc4bc7cb288412dbf3deb969990b733b71996908247713c3f10ad0e18906f3a7818c292d1eb37fb449c528576

    Download Submit

  • C:\Windows\SysWOW64\gins.exe
    Filesize

    355KB

    MD5

    b9895803749177aa81d77008c3be67a8

    SHA1

    a222ae972db82897a071dd868ba059e2f59fce3a

    SHA256

    b3c94776c381d09d8ad0fd57e0c6332d2fb61081915e0f245608fdddca98a014

    SHA512

    cd69645e9a16a4344c40e02bda17bcb3c01909249925acf8fb33b43e6c0fb47a047074c41938cd6ca86142cd5411b59ac0d6a57c55c14431bcd5db95c7b4c0b8

    Download Submit

  • memory/2112-38-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2112-33-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4212-54-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4212-58-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4212-57-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4212-56-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4212-68-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5592-41-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5592-23-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download