aeab1db1d5a31de069439186f309cf6994d546ed700834d7517facfb128046c4

General

Target

fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe
Size

34KB
MD5

fbce6c0b48a1efa5dd16b214cfaea912
SHA1

65bcf4938a03222be7115ad0107849464092e22b
SHA256

aeab1db1d5a31de069439186f309cf6994d546ed700834d7517facfb128046c4
SHA512

26c4e9113253b4389e53d550f9652a8713f5d0a2fbd65a4c1b8c5aca454352fd3ddb298b1dd4613cab55fd9d89c9bf0efa2129ad8052e6c23d9cbe4433f19dcf
SSDEEP

768:60tZgEXGiDC/FzLzP1eAEV3ezUKi8io4NY0u0s1j8O6hoob:60kl8ClLD1eAEszPim4NTrsx6Gy

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1448 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

wuaucldt.exewuaucldt.exe

pid process

2820 wuaucldt.exe
2572 wuaucldt.exe

pid	process
1448	cmd.exe

pid	process
2820	wuaucldt.exe
2572	wuaucldt.exe

Loads dropped DLL 4 IoCs

Processes:

fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exewuaucldt.exe

pid	process
2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe
2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe
2820	wuaucldt.exe
2820	wuaucldt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wuaucldt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe"	wuaucldt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe"	wuaucldt.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

wuaucldt.exefbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wuaucldt.exe

description pid process target process

PID 2572 set thread context of 2612 2572 wuaucldt.exe svchost.exe

description	pid	process	target process
PID 2572 set thread context of 2612	2572	wuaucldt.exe	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exewuaucldt.exewuaucldt.exe

description	pid	process	target process
PID 2372 wrote to memory of 2820	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	wuaucldt.exe
PID 2372 wrote to memory of 2820	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	wuaucldt.exe
PID 2372 wrote to memory of 2820	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	wuaucldt.exe
PID 2372 wrote to memory of 2820	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	wuaucldt.exe
PID 2820 wrote to memory of 2572	2820	wuaucldt.exe	wuaucldt.exe
PID 2820 wrote to memory of 2572	2820	wuaucldt.exe	wuaucldt.exe
PID 2820 wrote to memory of 2572	2820	wuaucldt.exe	wuaucldt.exe
PID 2820 wrote to memory of 2572	2820	wuaucldt.exe	wuaucldt.exe
PID 2572 wrote to memory of 2612	2572	wuaucldt.exe	svchost.exe
PID 2572 wrote to memory of 2612	2572	wuaucldt.exe	svchost.exe
PID 2572 wrote to memory of 2612	2572	wuaucldt.exe	svchost.exe
PID 2572 wrote to memory of 2612	2572	wuaucldt.exe	svchost.exe
PID 2572 wrote to memory of 2612	2572	wuaucldt.exe	svchost.exe
PID 2572 wrote to memory of 2612	2572	wuaucldt.exe	svchost.exe
PID 2372 wrote to memory of 1448	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	cmd.exe
PID 2372 wrote to memory of 1448	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	cmd.exe
PID 2372 wrote to memory of 1448	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	cmd.exe
PID 2372 wrote to memory of 1448	2372	fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe	cmd.exe
PID 2820 wrote to memory of 2940	2820	wuaucldt.exe	cmd.exe
PID 2820 wrote to memory of 2940	2820	wuaucldt.exe	cmd.exe
PID 2820 wrote to memory of 2940	2820	wuaucldt.exe	cmd.exe
PID 2820 wrote to memory of 2940	2820	wuaucldt.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbce6c0b48a1efa5dd16b214cfaea912_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Writes to the Master Boot Record (MBR)
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe
3⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\FBCE6C~1.EXE
2⤵
- Deletes itself
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wuaucldt.exe
Filesize
34KB

MD5
fbce6c0b48a1efa5dd16b214cfaea912

SHA1
65bcf4938a03222be7115ad0107849464092e22b

SHA256
aeab1db1d5a31de069439186f309cf6994d546ed700834d7517facfb128046c4

SHA512
26c4e9113253b4389e53d550f9652a8713f5d0a2fbd65a4c1b8c5aca454352fd3ddb298b1dd4613cab55fd9d89c9bf0efa2129ad8052e6c23d9cbe4433f19dcf

Download Submit
memory/2372-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2372-1-0x0000000009000000-0x0000000009009000-memory.dmp

Filesize
36KB

Download
memory/2372-3-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/2372-2-0x0000000009000000-0x0000000009009000-memory.dmp

Filesize
36KB

Download
memory/2372-7-0x0000000000420000-0x000000000042B000-memory.dmp

Filesize
44KB

Download
memory/2372-14-0x0000000000420000-0x000000000042B000-memory.dmp

Filesize
44KB

Download
memory/2372-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2612-30-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2612-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-33-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2612-35-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2612-36-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2612-39-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2612-40-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2820-16-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads