2a2810ff068467030f05624230fc590ac4e3ef2c9df76a4fe6d1feedf06f8344

General

Target

fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
Size

432KB
MD5

fbdda05780c0105abdd755fec2900580
SHA1

e463f3e0ddfcf8f340905027b596966e973f546a
SHA256

2a2810ff068467030f05624230fc590ac4e3ef2c9df76a4fe6d1feedf06f8344
SHA512

8440c10fdf797bfb757fd3deed51f48534eb7367d7bf76ac51dd6fc2c7be04292d831bd0d1c084d0abbea3ad75c26b7818e64db3b5d26f28ce5c7e133302eb99
SSDEEP

6144:BO+WwBZthD5J+x9dmKcMVqUl6c4jKMNvyX93dFoMrdUZnD698gWNlPTGQQm6agrG:tvZ/5J+Y1IlErvyX93dr+DVNtTird0

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

SERVER~1.EXEHacker.com.cn.exe

pid process

3008 SERVER~1.EXE
1972 Hacker.com.cn.exe
Loads dropped DLL 3 IoCs

Processes:

fbdda05780c0105abdd755fec2900580_JaffaCakes118.exeSERVER~1.EXE

pid process

1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
1372 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
3008 SERVER~1.EXE

pid	process
3008	SERVER~1.EXE
1972	Hacker.com.cn.exe

pid	process
1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
3008	SERVER~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

SERVER~1.EXE

description	ioc	process
File created	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE
File opened for modification	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE
File created	C:\Windows\uninstal.bat	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SERVER~1.EXEHacker.com.cn.exe

description pid process

Token: SeDebugPrivilege 3008 SERVER~1.EXE
Token: SeDebugPrivilege 1972 Hacker.com.cn.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Hacker.com.cn.exe

pid process

1972 Hacker.com.cn.exe

description	pid	process
Token: SeDebugPrivilege	3008	SERVER~1.EXE
Token: SeDebugPrivilege	1972	Hacker.com.cn.exe

pid	process
1972	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fbdda05780c0105abdd755fec2900580_JaffaCakes118.exeHacker.com.cn.exeSERVER~1.EXE

description	pid	process	target process
PID 1372 wrote to memory of 3008	1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe	SERVER~1.EXE
PID 1372 wrote to memory of 3008	1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe	SERVER~1.EXE
PID 1372 wrote to memory of 3008	1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe	SERVER~1.EXE
PID 1372 wrote to memory of 3008	1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe	SERVER~1.EXE
PID 1372 wrote to memory of 3008	1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe	SERVER~1.EXE
PID 1372 wrote to memory of 3008	1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe	SERVER~1.EXE
PID 1372 wrote to memory of 3008	1372	fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe	SERVER~1.EXE
PID 1972 wrote to memory of 2704	1972	Hacker.com.cn.exe	IEXPLORE.EXE
PID 1972 wrote to memory of 2704	1972	Hacker.com.cn.exe	IEXPLORE.EXE
PID 1972 wrote to memory of 2704	1972	Hacker.com.cn.exe	IEXPLORE.EXE
PID 1972 wrote to memory of 2704	1972	Hacker.com.cn.exe	IEXPLORE.EXE
PID 3008 wrote to memory of 2464	3008	SERVER~1.EXE	cmd.exe
PID 3008 wrote to memory of 2464	3008	SERVER~1.EXE	cmd.exe
PID 3008 wrote to memory of 2464	3008	SERVER~1.EXE	cmd.exe
PID 3008 wrote to memory of 2464	3008	SERVER~1.EXE	cmd.exe
PID 3008 wrote to memory of 2464	3008	SERVER~1.EXE	cmd.exe
PID 3008 wrote to memory of 2464	3008	SERVER~1.EXE	cmd.exe
PID 3008 wrote to memory of 2464	3008	SERVER~1.EXE	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbdda05780c0105abdd755fec2900580_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\uninstal.bat
3⤵
PID:2464

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat
Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
Filesize
272KB

MD5
97a5843eca20dbb324357b65791cffe5

SHA1
1b6467c511749ae2256c805644f1bf8abbdd617d

SHA256
d325ebc2af7e77e8191b7348a21da434f19904010792d265a9cb3b3a6cb03733

SHA512
b788a9a0ee8c9b13f5f0df67d1f83eee3bf45cfd5ff6867abeed6d2f7234857f4c8c0aedad131f6097f76e2e6b66fa6455ff87477379be0e87daea41db0cc7cd

Download Submit
memory/1372-27-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1372-2-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1372-1-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1372-3-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/1372-13-0x0000000003500000-0x000000000360B000-memory.dmp

Filesize
1.0MB

Download
memory/1372-14-0x0000000003500000-0x000000000360B000-memory.dmp

Filesize
1.0MB

Download
memory/1372-40-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1372-39-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1372-29-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/1372-0-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1972-25-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1972-28-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1972-26-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1972-42-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1972-43-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/3008-23-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3008-19-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3008-20-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3008-38-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3008-18-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3008-17-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads