2a0801e65512fc6cd5fd144d99ae9ff916788f832a3f5172e75ba6f2e4b12bfb

General

Target

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
Size

410KB
MD5

f94fb2d47d9c9e2f1f54e59ba7cd7a25
SHA1

d78493793f7be21a2dd3586c12040dea30d1aee3
SHA256

2a0801e65512fc6cd5fd144d99ae9ff916788f832a3f5172e75ba6f2e4b12bfb
SHA512

f20ec944743f4ef9f00dedc7872078e1c871ec0d6b485183f8955efeea27b405fe44f880cec5aae7e844b3570350dc4464c019e6a055141e8b807c1c3aa85743
SSDEEP

12288:QMJO2RPK8b/Wr2kbjaexIQqyeaOqVoYYuNtTird:DJO2Rf7IjUAeaOEoOTEd

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2432 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

isass.exe

pid process

2552 isass.exe

pid	process
2432	cmd.exe

pid	process
2552	isass.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exeisass.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	isass.exe

Drops file in System32 directory 1 IoCs

Processes:

isass.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	isass.exe

Drops file in Windows directory 3 IoCs

Processes:

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\isass.exe	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
File opened for modification	C:\Windows\isass.exe	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe

Modifies data under HKEY_USERS 28 IoCs

Processes:

isass.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-ea-a4-0c-79-f9\WpadDecisionReason = "1"	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4549DA2-588F-49B7-A003-A83269C2CC31}\WpadDecisionReason = "1"	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	isass.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4549DA2-588F-49B7-A003-A83269C2CC31}	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4549DA2-588F-49B7-A003-A83269C2CC31}\WpadDecision = "0"	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-ea-a4-0c-79-f9	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4549DA2-588F-49B7-A003-A83269C2CC31}\WpadDecisionTime = 607180150292da01	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-ea-a4-0c-79-f9\WpadDecision = "0"	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	isass.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4549DA2-588F-49B7-A003-A83269C2CC31}\1a-ea-a4-0c-79-f9	isass.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-ea-a4-0c-79-f9\WpadDetectedUrl	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-ea-a4-0c-79-f9\WpadDecisionTime = 809b3c4b0292da01	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4549DA2-588F-49B7-A003-A83269C2CC31}\WpadDecisionTime = 809b3c4b0292da01	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-ea-a4-0c-79-f9\WpadDecisionTime = 607180150292da01	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	isass.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	isass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	isass.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4549DA2-588F-49B7-A003-A83269C2CC31}\WpadNetworkName = "Network 3"	isass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exeisass.exe

description pid process

Token: SeDebugPrivilege 2900 f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
Token: SeDebugPrivilege 2552 isass.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

isass.exe

pid process

2552 isass.exe

description	pid	process
Token: SeDebugPrivilege	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
Token: SeDebugPrivilege	2552	isass.exe

pid	process
2552	isass.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe

description	pid	process	target process
PID 2900 wrote to memory of 2432	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2900 wrote to memory of 2432	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2900 wrote to memory of 2432	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2900 wrote to memory of 2432	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2900 wrote to memory of 2432	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2900 wrote to memory of 2432	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2900 wrote to memory of 2432	2900	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\uninstal.bat
2⤵
- Deletes itself
PID:2432

C:\Windows\isass.exe
C:\Windows\isass.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\isass.exe
Filesize
410KB

MD5
f94fb2d47d9c9e2f1f54e59ba7cd7a25

SHA1
d78493793f7be21a2dd3586c12040dea30d1aee3

SHA256
2a0801e65512fc6cd5fd144d99ae9ff916788f832a3f5172e75ba6f2e4b12bfb

SHA512
f20ec944743f4ef9f00dedc7872078e1c871ec0d6b485183f8955efeea27b405fe44f880cec5aae7e844b3570350dc4464c019e6a055141e8b807c1c3aa85743

Download Submit
C:\Windows\uninstal.bat
Filesize
218B

MD5
f1f82545261495422916730198814a84

SHA1
3ce3cd5040fdf83841363a26da21836eaec77211

SHA256
78dea31d20c97d5932245719df6f3d68347bad7361fdfdd4090bd5fdacc3843c

SHA512
ed751d01fcec224d6c14ffb5c7e5302bacbeffe9a85119335c9c098e1ad000a220e779446346d57bbb9b59575ba28907a23b317b15da8f6bb3e2e9b3560956d2

Download Submit
memory/2552-14-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2552-11-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2552-30-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2552-27-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2552-25-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2552-12-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2900-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2900-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2900-7-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2900-13-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2900-1-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2900-0-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2900-23-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2900-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2900-5-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2900-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads