2e5f7852f8c8fe9f8bfb227a213c5ae9be86a53987866a37c66fcc83046a3e92

General

Target

fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
Size

1.0MB
MD5

fd98e0c2a8558c0a96ef150eb111c45e
SHA1

6d803347797695be2f83000e4b363d30ae8d2aa9
SHA256

2e5f7852f8c8fe9f8bfb227a213c5ae9be86a53987866a37c66fcc83046a3e92
SHA512

7efa3783333e3da291b6eee4f1eedc21a2752b6ee7f8fc72a99ccad2414fbadca30e7162fc9c48b988cb66aec81ad29c0bf4cf484edc1bde8a808c24327ecb0c
SSDEEP

12288:KZb+woHUIZI+DkVurXnnW2aLkEgB1BqKSKXxDL6nF/8ixtBQ4Tdu3qHFVJJmVxS9:wTIZ9RznnWuEgfIO8xC3egSY8

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3708 netsh.exe

pid	process
3708	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

LocalJFiRTpkrdv.exeLocaldOwXcLcKGH..exe

pid process

736 LocalJFiRTpkrdv.exe
3560 LocaldOwXcLcKGH..exe
Loads dropped DLL 1 IoCs

Processes:

LocaldOwXcLcKGH..exe

pid process

3560 LocaldOwXcLcKGH..exe

pid	process
736	LocalJFiRTpkrdv.exe
3560	LocaldOwXcLcKGH..exe

pid	process
3560	LocaldOwXcLcKGH..exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LocalJFiRTpkrdv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b2c41a500900e95b9bf67ec858345ab = "\"C:\\Users\\Admin\\AppData\\LocalJFiRTpkrdv.exe\" .."	LocalJFiRTpkrdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b2c41a500900e95b9bf67ec858345ab = "\"C:\\Users\\Admin\\AppData\\LocalJFiRTpkrdv.exe\" .."	LocalJFiRTpkrdv.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

LocaldOwXcLcKGH..exe

description ioc process

File opened (read-only) \??\F: LocaldOwXcLcKGH..exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

LocaldOwXcLcKGH..exe

description ioc process

File opened for modification \??\PhysicalDrive0 LocaldOwXcLcKGH..exe

description	ioc	process
File opened (read-only)	\??\F:	LocaldOwXcLcKGH..exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	LocaldOwXcLcKGH..exe

Drops file in Windows directory 2 IoCs

Processes:

fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

LocalJFiRTpkrdv.exe

description	pid	process
Token: SeDebugPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe
Token: 33	736	LocalJFiRTpkrdv.exe
Token: SeIncBasePriorityPrivilege	736	LocalJFiRTpkrdv.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exeLocalJFiRTpkrdv.exe

description	pid	process	target process
PID 2084 wrote to memory of 736	2084	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocalJFiRTpkrdv.exe
PID 2084 wrote to memory of 736	2084	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocalJFiRTpkrdv.exe
PID 2084 wrote to memory of 3560	2084	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocaldOwXcLcKGH..exe
PID 2084 wrote to memory of 3560	2084	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocaldOwXcLcKGH..exe
PID 2084 wrote to memory of 3560	2084	fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe	LocaldOwXcLcKGH..exe
PID 736 wrote to memory of 3708	736	LocalJFiRTpkrdv.exe	netsh.exe
PID 736 wrote to memory of 3708	736	LocalJFiRTpkrdv.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe
"C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe" "LocalJFiRTpkrdv.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3708

C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe
"C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe

Filesize
99KB

MD5
121ffbd73501445f6d92bd8926c601d0

SHA1
f286e21fdabb2df748591d4339d815c13f60ffd0

SHA256
51357a4e625b3c94fe6047f3c5152efd1cbd4d9e8530e3ce14c54984ceb95561

SHA512
368a30e330a364b653e8acf0feadd6f50ea757f872d0e85bde280e23e2ad4ebf9f604c8df2e679c8aa971135abac090490f3efee03dbe312531e0f1976f2464d

Download Submit
C:\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll

Filesize
74KB

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe

Filesize
1.5MB

MD5
ab22f6d86627ff7cd3ecb8bad27fa041

SHA1
f020d4c5aa9778d97dd20e7d3a486951c7f4e0af

SHA256
e4ad01ce4e61a35a3a5bfd8161a629d3a77c25b78257a79e2cf8656084f9e8c1

SHA512
1501aa4f2ff3417a7e7ecb721163c43f720e1f785bea0d673028ac20a86009c7fa89f38530cfad26d556b37de3f291cef753ce472f961ed4696771d07fef493c

Download Submit
memory/736-28-0x0000000001880000-0x00000000018A6000-memory.dmp

Filesize
152KB

Download
memory/736-30-0x000000001CCF0000-0x000000001CD8C000-memory.dmp

Filesize
624KB

Download
memory/736-20-0x000000001BDA0000-0x000000001BE46000-memory.dmp

Filesize
664KB

Download
memory/736-46-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/736-27-0x000000001C380000-0x000000001C84E000-memory.dmp

Filesize
4.8MB

Download
memory/736-45-0x00007FFF905A0000-0x00007FFF90F41000-memory.dmp

Filesize
9.6MB

Download
memory/736-29-0x00007FFF905A0000-0x00007FFF90F41000-memory.dmp

Filesize
9.6MB

Download
memory/736-44-0x00000000018C0000-0x00000000018C8000-memory.dmp

Filesize
32KB

Download
memory/736-31-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/736-35-0x00007FFF905A0000-0x00007FFF90F41000-memory.dmp

Filesize
9.6MB

Download
memory/736-43-0x0000000001710000-0x000000000171E000-memory.dmp

Filesize
56KB

Download
memory/2084-1-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/2084-34-0x00007FFF905A0000-0x00007FFF90F41000-memory.dmp

Filesize
9.6MB

Download
memory/2084-3-0x000000001BAC0000-0x000000001BC6A000-memory.dmp

Filesize
1.7MB

Download
memory/2084-0-0x00007FFF905A0000-0x00007FFF90F41000-memory.dmp

Filesize
9.6MB

Download
memory/2084-2-0x00007FFF905A0000-0x00007FFF90F41000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads