790cb7e274bf34353716907d9b4ffba838b321433f634a8e5883294fb149f318

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

263ebc6d3f47e06cf82e229724bdda77_JaffaCakes118.dll
Size

175KB
MD5

263ebc6d3f47e06cf82e229724bdda77
SHA1

5d1301ea667e8e7d190daf063625cf1e2427cfbe
SHA256

790cb7e274bf34353716907d9b4ffba838b321433f634a8e5883294fb149f318
SHA512

cd1e2fd0967759fb382a575ed590d8a039560da1f8d02e18d5c383023cc7e0e77464165d93714f3296d7a3462a56191253c5fc7b1f094e7a236bf2049919122f
SSDEEP

3072:Mjko+Df7dSsvLaJq+nj9vQVoMsxSbbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFu:MjkoczaJXCVo+wvP6bQ7yMP+DE8274L

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

regsvr32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 regsvr32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	regsvr32.exe

Modifies registry class 17 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\loader.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\loader.DLL\AppID = "{D103EBF9-6DD5-4715-863A-00AA27C7935A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\263ebc6d3f47e06cf82e229724bdda77_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\ = "loader 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C85E2990-D4B6-44F5-A323-ED943493F8DF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D103EBF9-6DD5-4715-863A-00AA27C7935A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D103EBF9-6DD5-4715-863A-00AA27C7935A}\ = "loader"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2132 wrote to memory of 2392	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 2392	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 2392	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 2392	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 2392	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 2392	2132	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 2392	2132	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\263ebc6d3f47e06cf82e229724bdda77_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\263ebc6d3f47e06cf82e229724bdda77_JaffaCakes118.dll
2⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2392

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2392-0-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2392-1-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/2392-2-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download