16cb13bd319fbead043c5ebe6be2a3b8e2ee02bf5c3da907a2c2e34374467d43

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe
Size

185KB
MD5

1aa0378195cf94c8cbaf9f21e84dbead
SHA1

7e9b81ccdbfb28aa8b87e8ad31f571143719511e
SHA256

16cb13bd319fbead043c5ebe6be2a3b8e2ee02bf5c3da907a2c2e34374467d43
SHA512

b5036203be69ed7147cb90eaa22aeb4f3654d23e4a18392a064a558ffc2432a47808b36e1005cc9e695014f483c76c01c91e42d4cb7427e14e873e39074b87ee
SSDEEP

3072:gcJx2eJZUMcIUaFPmgRMNlPTGQQm6ytwZEsrYkK4kH5N5:gcJxbJiM598gWNlPTGQQm6agrdU5z

Score

9^/10

bootkit collection persistence

Malware Config

Signatures

NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral1/memory/1844-23-0x0000000000400000-0x000000000043D000-memory.dmp MailPassView
Nirsoft 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1844-23-0x0000000000400000-0x000000000043D000-memory.dmp Nirsoft

resource	yara_rule
behavioral1/memory/1844-23-0x0000000000400000-0x000000000043D000-memory.dmp	MailPassView

resource	yara_rule
behavioral1/memory/1844-23-0x0000000000400000-0x000000000043D000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aa0378195cf94c8cbaf9f21e84dbead_JaffaCakes118.exe"
1⤵
- Accesses Microsoft Outlook accounts
- Writes to the Master Boot Record (MBR)
PID:1844

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1844-1-0x0000000000490000-0x00000000004D3000-memory.dmp

Filesize
268KB

Download
memory/1844-6-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1844-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1844-7-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1844-5-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1844-4-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1844-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1844-2-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1844-13-0x0000000001EA0000-0x0000000001EA2000-memory.dmp

Filesize
8KB

Download
memory/1844-12-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/1844-11-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/1844-10-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1844-9-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1844-15-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1844-22-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1844-21-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1844-20-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1844-19-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1844-18-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1844-17-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1844-14-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1844-16-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1844-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1844-24-0x0000000000490000-0x00000000004D3000-memory.dmp

Filesize
268KB

Download