Overview

overview

8

Static

static

5

JaffaCakes...5b.exe

windows7-x64

7

JaffaCakes...5b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8adf6842ada41070f5641c9f12b8355b.exe

  • Size

    873KB

  • MD5

    8adf6842ada41070f5641c9f12b8355b

  • SHA1

    d1b40b79a724493efd7f8b543aa8373cd3039670

  • SHA256

    1417f614b61d200bdd0daf0443a170aab206e9f1b58e2cf987731ede80c91ff8

  • SHA512

    1033558e2916de3ea94520f03ff9ea8cc45b841456ae54ebfa8f2c6e770b68cb38d3a96116c702d2de06a0b474fefa9b15bfb8520195f9837e7af60b89f5df04

  • SSDEEP

    12288:Di/GwLX7ycU1D4HZbRDZ6acKkATHW38wFA+ewSUO5IOPOZl4vBTl+fHU4GIRR0SM:DAGZhDEJhZvW3NAYSUZL4pV4GY9rO

Score
8/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 33 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8adf6842ada41070f5641c9f12b8355b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8adf6842ada41070f5641c9f12b8355b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\ProgramData\defender.exe
      C:\ProgramData\defender.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1308
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\defender.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\ProgramData\defender.exe
      C:\ProgramData\defender.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4008
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4976
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1492
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4044
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4852
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4744
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3124
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      PID:1236
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\defender.exe
    Filesize

    825KB

    MD5

    91aaa83f62ddcec92f06fc7a6224b3a3

    SHA1

    08725c7c852341687ad456f3b6734a029f38cc56

    SHA256

    273ac22d77d3f5dfe8c38d8556e100bfde3c55b24a627009ff0fae6dc6bb4f1b

    SHA512

    ed44367ee926799d7cb51ccf365afeae4157723c39c45851b5b8b36aac3462a635c17d4e1d37ad1154fe352d5403b85f7fc973592884fd40802c7d32e32d81a1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
    Filesize

    471B

    MD5

    21dc3f82aa43dfe05e372bc33d6689f6

    SHA1

    2a64a92afeab93431f93ee7d1915a0dc5b06d081

    SHA256

    27067ac82f83fc339cfb2f546aeb1329b31f822e1ad63b7eab75fdd365857791

    SHA512

    0350751bcff915f97fe14e574fa221f0d902c95964f65ac24cbf1fd58c626469136935ad0afbfab9d64f4adbd8f1c5e008e7e5e41fae68ecb916c13d9cc91708

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
    Filesize

    412B

    MD5

    212d07ced85c303cc1dac015582059b7

    SHA1

    df0dee2811a6d302d8049ea09b20e0b4cc06b5ec

    SHA256

    e80fd2896e4b40105424ed15b900c6c8e3cb5274cee545f8c18e7cc4f81cc748

    SHA512

    d099d7c3f4aee0243dd445a00a57855bf069dc6ab3b673844643a7fe5c7aa5c495c7c841c3fd67c834ca67d537a106e350d9db12c8e05a67083094fb9434356f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
    Filesize

    1013B

    MD5

    162710cc3aed138fdc71d0ee247701e3

    SHA1

    7ebf4a12c2a55fe70d18fe77a4ea16015544b9a5

    SHA256

    205aa27adc08764ce6942d693b9098f5a2c8fa0dcb108bcf0bbded5053874634

    SHA512

    015af2741f20de2ea700ec1cbc1678d6d689704b27e395826ad06dc9b171432f1cb60de6dc64fdf120ca4bd17a9613c5d0389e95dba798b2c5e2618e66c45531

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{E89BC375-A733-4882-8033-55E1AEB1F46F}.png
    Filesize

    6KB

    MD5

    099ba37f81c044f6b2609537fdb7d872

    SHA1

    470ef859afbce52c017874d77c1695b7b0f9cb87

    SHA256

    8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

    SHA512

    837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

    Download Submit

  • C:\Users\Public\Desktop\Security Protection.lnk
    Filesize

    681B

    MD5

    350dc3a8f0f252668278c8a0b7bc3c1e

    SHA1

    cb94ac8a8c2225641f03d5a24589084b9bd6621a

    SHA256

    778fe1c9c38d0702d4c54dbc07dd737ff22ee4a8a6a47e21dd5205d02f8e24b4

    SHA512

    5fd8eaeed921903e964066a6af4d0ef6857463ad771184e10ae8d66925ca43049c56c81320c7bee8e349035fbabbda60ba7d14c941257cd85c151ef3a9123349

    Download Submit

  • memory/1308-42-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-44-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-19-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-21-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-22-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-97-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-96-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-95-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-94-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-33-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-32-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-17-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-39-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-91-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-90-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-15-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-45-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-20-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-89-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-84-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-83-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-67-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-74-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-82-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-81-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2664-2-0x0000000000980000-0x0000000000A80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2664-3-0x0000000000400000-0x000000000069F000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2664-8-0x0000000000404000-0x0000000000405000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-0-0x0000000000400000-0x000000000069F000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2664-30-0x0000000000980000-0x0000000000A80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2664-24-0x0000000000400000-0x000000000069F000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3640-65-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4008-29-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4008-25-0x0000000000400000-0x0000000000A34000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4976-41-0x0000000002830000-0x0000000002831000-memory.dmp

    Filesize

    4KB

    Download