e8c3810804fe87428ef7e2e60cafd9d58914ce59afd29f29498abf8531357198

General

Target

fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
Size

200KB
MD5

fde190e5909997533b633a43175a1aa9
SHA1

79ee3208f50ff29ecf37493303b8c41f8ae3bc15
SHA256

e8c3810804fe87428ef7e2e60cafd9d58914ce59afd29f29498abf8531357198
SHA512

f52ef84e50e7e68ac61a717783eb6e13638ad403ec5823bfafc2057e16fe7b4846a98f04ea08b34b6030b4f4b1ed45b0faa7c2cd9292aec62b87462f3408bfea
SSDEEP

6144:x7oBtDkJ3abnk6cV+EwmAoBNcX2NOkpwCi21gRQnfRFfBHzRyAcC:x78AqbaVcmAo7cGNpwCi+eQZFf9zRaC

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2760-0-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2760-17-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2760-18-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2760-20-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2760-23-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2760-24-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2760-28-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2760-29-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\r:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\z:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\e:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\i:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\k:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\y:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\n:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\q:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\w:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\v:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\x:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\h:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\o:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\u:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\m:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\p:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\s:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\t:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\g:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\j:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
File opened (read-only)	\??\l:	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
Drops file in Program Files directory 1 IoCs

Processes:

fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe

description ioc process

File opened for modification C:\Program Files (x86)\SAItest.txt fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SAItest.txt	fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fde190e5909997533b633a43175a1aa9_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2760-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2760-17-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2760-18-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2760-20-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2760-23-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2760-24-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2760-28-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2760-29-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing