7155d35c0b7b12363bfcfad8d2692221c031612e2194743bbccf3b6754684aa7

General

Target

fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe
Size

43KB
MD5

fc41fa53d929a710c69082af94cc2547
SHA1

d7363e135c0eb0919dbbc309b63aa25812a161cf
SHA256

7155d35c0b7b12363bfcfad8d2692221c031612e2194743bbccf3b6754684aa7
SHA512

154e48be55c2c1a80539b1b282daf6f3caeff1e71e1bd703e50c1fd6e4075f0048d2924b43849a196ba271f080e4c7bd2a1dba84c77a67c8b16a08ad2e109cc6
SSDEEP

768:LpgDlh9nHtJbzwsp7YHHQXtSH0y9teIKVv/eHOVq1dtQYXmXH4:tgH9NJbRYHHSSUyQV30OQIYXmXH4

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchosts.exe

pid process

2588 svchosts.exe

pid	process
2588	svchosts.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2148-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
C:\Windows\svchosts.exe	upx
behavioral1/memory/2588-13-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2148-20-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2588-89-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2588-320-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\windows\svchosts.exe	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe
File created	C:\windows\svchosts.exe	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d867f4f592da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F3B7751-FEE9-11EE-A293-4AADDC6219DF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000003c45d58182ab4efeffb5efe516435d5fb9a62532095f7d4a158bdb4e05bf28ed000000000e8000000002000020000000e9ae75326363ccc858e8a8f1e8e8aa7ceb0f2296d6a4022c5eb472951c456c5f90000000fa772b2b731691f9a023a3e53ca0e2cab8204ecc6f06c46e7470655cdbe809a25adf19c246f32b8ac4dc52eb0f1256aeaf8a6b078ba41cfabcdd5a8b99162ddbcbc8484fd494381aa9df4e72f73cee5644c914a243d7c5e339eb9cb67d7f236c7364c685ddabc54dd0804df93882f00277a1f728982756484ef3aafecd1dea808649ebc38dc0f09bc365dd19174ff6f640000000b45f641db9d278baa01b0e56773fcfc73b456411dd5b10382f61c7fe2a3cf91ca4892741d29a94e77ce226ea370e7db08b9b90776640f5a819e7fa0cb6ce4232	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419760641"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a960690000000002000000000010660000000100002000000000c87046dcec4697b0db6e5174621e137bef7052d7ffbc1fcba1cb269611239b000000000e8000000002000020000000e13c3d0d6c4ff1a2b29b5f2e871f2549c01bfef384276429193cfcb83414db2a200000006508b8acf37fd2aaf03d5108c85c8b11b0e84c9fb0cc841c48a5201c67a30b5a40000000449daf05ae95f69957db3fa02eb854f5a5f26e76c784c14232051b0c94845033759c3c5cbd2fbed748d30b9b1b0589cf5d93133497f2e5b2db5f693738273626	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe

pid process

2148 fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exesvchosts.exe

pid process

2216 iexplore.exe
2588 svchosts.exe

pid	process
2216	iexplore.exe
2588	svchosts.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exesvchosts.exeiexplore.exeIEXPLORE.EXE

pid	process
2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe
2588	svchosts.exe
2216	iexplore.exe
2216	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 2148 wrote to memory of 2588	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	svchosts.exe
PID 2148 wrote to memory of 2588	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	svchosts.exe
PID 2148 wrote to memory of 2588	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	svchosts.exe
PID 2148 wrote to memory of 2588	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	svchosts.exe
PID 2148 wrote to memory of 2216	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	iexplore.exe
PID 2148 wrote to memory of 2216	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	iexplore.exe
PID 2148 wrote to memory of 2216	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	iexplore.exe
PID 2148 wrote to memory of 2216	2148	fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe	iexplore.exe
PID 2216 wrote to memory of 2620	2216	iexplore.exe	IEXPLORE.EXE
PID 2216 wrote to memory of 2620	2216	iexplore.exe	IEXPLORE.EXE
PID 2216 wrote to memory of 2620	2216	iexplore.exe	IEXPLORE.EXE
PID 2216 wrote to memory of 2620	2216	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc41fa53d929a710c69082af94cc2547_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\windows\svchosts.exe
C:\windows\svchosts.exe auto
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2588

C:\progra~1\Intern~1\iexplore.exe
C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=QM00013&isqq=3
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
34866dc386dfa84180fbe8bf382688d1

SHA1
092c9e57660fa4838ddff37ab146173914079b94

SHA256
a4dd7e3832061173079b4732ed50f08239f2ad3f9f6fc24b855f7192407bcd6a

SHA512
7746eb31600c1749b0de9ce1f7f3cc33532dad16da3da4ca99e45ff6423162d7bac29b8496ca0512d4f65c8c9e73deec93f7aa172ac479ea768a1b05aac4db65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14731c349017fd25a44797a7f4035ae1

SHA1
2ad3adcdf4fb71075e7c0ed82b04ea808da6385f

SHA256
0a255b95feded2461ecf6422721846ee849625f06aff204ec97be8558b773a69

SHA512
0972ec7744d0ced0fb709f7ad4d3396fa7581b13b04a2f7062652d741e70dc0fdf2498024e6e88dbf461a76daba10484e7aff47733e8d1b8e27631d8cbf9521c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4072.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\svchosts.exe
Filesize
43KB

MD5
fc41fa53d929a710c69082af94cc2547

SHA1
d7363e135c0eb0919dbbc309b63aa25812a161cf

SHA256
7155d35c0b7b12363bfcfad8d2692221c031612e2194743bbccf3b6754684aa7

SHA512
154e48be55c2c1a80539b1b282daf6f3caeff1e71e1bd703e50c1fd6e4075f0048d2924b43849a196ba271f080e4c7bd2a1dba84c77a67c8b16a08ad2e109cc6

Download Submit
memory/2148-11-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/2148-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2148-10-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/2216-15-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/2588-21-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2588-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-320-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads