2e5f7852f8c8fe9f8bfb227a213c5ae9be86a53987866a37c66fcc83046a3e92

General

Target

fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
Size

1.0MB
MD5

fd98e0c2a8558c0a96ef150eb111c45e
SHA1

6d803347797695be2f83000e4b363d30ae8d2aa9
SHA256

2e5f7852f8c8fe9f8bfb227a213c5ae9be86a53987866a37c66fcc83046a3e92
SHA512

7efa3783333e3da291b6eee4f1eedc21a2752b6ee7f8fc72a99ccad2414fbadca30e7162fc9c48b988cb66aec81ad29c0bf4cf484edc1bde8a808c24327ecb0c
SSDEEP

12288:KZb+woHUIZI+DkVurXnnW2aLkEgB1BqKSKXxDL6nF/8ixtBQ4Tdu3qHFVJJmVxS9:wTIZ9RznnWuEgfIO8xC3egSY8

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2928 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

LocalJFiRTpkrdv.exeLocaldOwXcLcKGH..exe

pid process

1196 LocalJFiRTpkrdv.exe
2764 LocaldOwXcLcKGH..exe
Loads dropped DLL 1 IoCs

Processes:

LocaldOwXcLcKGH..exe

pid process

2764 LocaldOwXcLcKGH..exe

pid	process
2928	netsh.exe

pid	process
1196	LocalJFiRTpkrdv.exe
2764	LocaldOwXcLcKGH..exe

pid	process
2764	LocaldOwXcLcKGH..exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LocalJFiRTpkrdv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b2c41a500900e95b9bf67ec858345ab = "\"C:\\Users\\Admin\\AppData\\LocalJFiRTpkrdv.exe\" .."	LocalJFiRTpkrdv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b2c41a500900e95b9bf67ec858345ab = "\"C:\\Users\\Admin\\AppData\\LocalJFiRTpkrdv.exe\" .."	LocalJFiRTpkrdv.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

LocaldOwXcLcKGH..exe

description ioc process

File opened (read-only) \??\F: LocaldOwXcLcKGH..exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

LocaldOwXcLcKGH..exe

description ioc process

File opened for modification \??\PhysicalDrive0 LocaldOwXcLcKGH..exe

description	ioc	process
File opened (read-only)	\??\F:	LocaldOwXcLcKGH..exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	LocaldOwXcLcKGH..exe

Drops file in Windows directory 2 IoCs

Processes:

fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

LocalJFiRTpkrdv.exe

description	pid	process
Token: SeDebugPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe
Token: 33	1196	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	1196	LocalJFiRTpkrdv.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exeLocalJFiRTpkrdv.exe

description	pid	process	target process
PID 3040 wrote to memory of 1196	3040	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocalJFiRTpkrdv.exe
PID 3040 wrote to memory of 1196	3040	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocalJFiRTpkrdv.exe
PID 3040 wrote to memory of 1196	3040	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocalJFiRTpkrdv.exe
PID 3040 wrote to memory of 2764	3040	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocaldOwXcLcKGH..exe
PID 3040 wrote to memory of 2764	3040	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocaldOwXcLcKGH..exe
PID 3040 wrote to memory of 2764	3040	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocaldOwXcLcKGH..exe
PID 3040 wrote to memory of 2764	3040	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocaldOwXcLcKGH..exe
PID 1196 wrote to memory of 2928	1196	LocalJFiRTpkrdv.exe	netsh.exe
PID 1196 wrote to memory of 2928	1196	LocalJFiRTpkrdv.exe	netsh.exe
PID 1196 wrote to memory of 2928	1196	LocalJFiRTpkrdv.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe
"C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe" "LocalJFiRTpkrdv.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2928

C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe
"C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe
Filesize
99KB

MD5
121ffbd73501445f6d92bd8926c601d0

SHA1
f286e21fdabb2df748591d4339d815c13f60ffd0

SHA256
51357a4e625b3c94fe6047f3c5152efd1cbd4d9e8530e3ce14c54984ceb95561

SHA512
368a30e330a364b653e8acf0feadd6f50ea757f872d0e85bde280e23e2ad4ebf9f604c8df2e679c8aa971135abac090490f3efee03dbe312531e0f1976f2464d

Download Submit
C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe
Filesize
1.5MB

MD5
ab22f6d86627ff7cd3ecb8bad27fa041

SHA1
f020d4c5aa9778d97dd20e7d3a486951c7f4e0af

SHA256
e4ad01ce4e61a35a3a5bfd8161a629d3a77c25b78257a79e2cf8656084f9e8c1

SHA512
1501aa4f2ff3417a7e7ecb721163c43f720e1f785bea0d673028ac20a86009c7fa89f38530cfad26d556b37de3f291cef753ce472f961ed4696771d07fef493c

Download Submit
\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll
Filesize
74KB

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
memory/1196-29-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/1196-30-0x00000000005E0000-0x0000000000660000-memory.dmp

Filesize
512KB

Download
memory/1196-28-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1196-12-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/1196-15-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-3-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-27-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-0-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-2-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Filesize
512KB

Download
memory/3040-1-0x000000001B110000-0x000000001B2BA000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads