156614076df8ea78e7d1db74d92520d7d80c827fe01ca765348707934adeadff

General

Target

f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
Size

12.3MB
MD5

f9a076d14fb5d8756436039d26227060
SHA1

e3fb1030ea228b499e69dabfd179b167c1a7ace2
SHA256

156614076df8ea78e7d1db74d92520d7d80c827fe01ca765348707934adeadff
SHA512

3c75190f75d47b68bc928b2ab99703a74c723486b882f58f0b258b0b95977da12b15a4b30a633e7993eb2e751409316227c3172ba2c37b840e3cfeb63d5955b1
SSDEEP

393216:MT0LUxe1JhjZZG8tNfeW7Q/YL5WEcxIzEfV:MaUxIJhjBeeQ/Y9axIGV

Score

7^/10

bootkit persistence vmprotect

Malware Config

Signatures

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2872-3-0x0000000000400000-0x0000000001B31000-memory.dmp	vmprotect
behavioral1/memory/2872-10-0x0000000000400000-0x0000000001B31000-memory.dmp	vmprotect
behavioral1/memory/2872-48-0x0000000000400000-0x0000000001B31000-memory.dmp	vmprotect
behavioral1/memory/2872-49-0x0000000000400000-0x0000000001B31000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

pid process

2872 f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

pid process

2872 f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
2872 f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

pid	process
2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

pid	process
2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe
Token: SeIncreaseQuotaPrivilege	2600	wmic.exe
Token: SeSecurityPrivilege	2600	wmic.exe
Token: SeTakeOwnershipPrivilege	2600	wmic.exe
Token: SeLoadDriverPrivilege	2600	wmic.exe
Token: SeSystemProfilePrivilege	2600	wmic.exe
Token: SeSystemtimePrivilege	2600	wmic.exe
Token: SeProfSingleProcessPrivilege	2600	wmic.exe
Token: SeIncBasePriorityPrivilege	2600	wmic.exe
Token: SeCreatePagefilePrivilege	2600	wmic.exe
Token: SeBackupPrivilege	2600	wmic.exe
Token: SeRestorePrivilege	2600	wmic.exe
Token: SeShutdownPrivilege	2600	wmic.exe
Token: SeDebugPrivilege	2600	wmic.exe
Token: SeSystemEnvironmentPrivilege	2600	wmic.exe
Token: SeRemoteShutdownPrivilege	2600	wmic.exe
Token: SeUndockPrivilege	2600	wmic.exe
Token: SeManageVolumePrivilege	2600	wmic.exe
Token: 33	2600	wmic.exe
Token: 34	2600	wmic.exe
Token: 35	2600	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

pid process

2872 f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
2872 f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

pid	process
2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe

description	pid	process	target process
PID 2872 wrote to memory of 2600	2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe	wmic.exe
PID 2872 wrote to memory of 2600	2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe	wmic.exe
PID 2872 wrote to memory of 2600	2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe	wmic.exe
PID 2872 wrote to memory of 2600	2872	f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9a076d14fb5d8756436039d26227060_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic BaseBoard get SerialNumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2872-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2872-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2872-3-0x0000000000400000-0x0000000001B31000-memory.dmp

Filesize
23.2MB

Download
memory/2872-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2872-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2872-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2872-10-0x0000000000400000-0x0000000001B31000-memory.dmp

Filesize
23.2MB

Download
memory/2872-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2872-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2872-21-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2872-26-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2872-24-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2872-19-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2872-31-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2872-29-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2872-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2872-34-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2872-32-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2872-36-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2872-38-0x0000000077330000-0x0000000077331000-memory.dmp

Filesize
4KB

Download
memory/2872-37-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2872-40-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2872-42-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2872-48-0x0000000000400000-0x0000000001B31000-memory.dmp

Filesize
23.2MB

Download
memory/2872-49-0x0000000000400000-0x0000000001B31000-memory.dmp

Filesize
23.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads