9a7482878947a8f22b3a04c693f28f988202b1f858b6761cceb0ed08108f16ac

General

Target

03177f179628ff785ed13163c687746f_JaffaCakes118.exe
Size

46KB
MD5

03177f179628ff785ed13163c687746f
SHA1

c2200fe095155e3d3de1c0d9afc45ee8fa884af3
SHA256

9a7482878947a8f22b3a04c693f28f988202b1f858b6761cceb0ed08108f16ac
SHA512

d0681015061d6c5f5829a14d7e96aa33f21c5055307eb1efd25fbcf55374ab2af3585a6d7ea369e21cbb69d935446511b30b9429182e959248df40da6df201c2
SSDEEP

768:glR1xJurBnnpRndABjnnFsglAvP/ybJPWRVfbObzVmr6oPL0pZj5CjqdbF:Chu9pYBnFswZA/DsADz0ptQja

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	avp.exe

Loads dropped DLL 2 IoCs

pid	Process
920	03177f179628ff785ed13163c687746f_JaffaCakes118.exe
920	03177f179628ff785ed13163c687746f_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	03177f179628ff785ed13163c687746f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tf2sound.dll	03177f179628ff785ed13163c687746f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delplme.bat	03177f179628ff785ed13163c687746f_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	03177f179628ff785ed13163c687746f_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
920	03177f179628ff785ed13163c687746f_JaffaCakes118.exe
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	920	03177f179628ff785ed13163c687746f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4752	920	03177f179628ff785ed13163c687746f_JaffaCakes118.exe	83
PID 920 wrote to memory of 4752	920	03177f179628ff785ed13163c687746f_JaffaCakes118.exe	83
PID 920 wrote to memory of 4752	920	03177f179628ff785ed13163c687746f_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\03177f179628ff785ed13163c687746f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03177f179628ff785ed13163c687746f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c delplme.bat
  2⤵
  PID:4752

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delplme.bat

Filesize
306B

MD5
8bc6d4027b4d2bb55de8aff4dda28a17

SHA1
8a25e43523c0629e77b29beb2f6f4f55b082abdd

SHA256
46406552e4da30bec28dd6781f2447f581314d57f14aa3a53da962b0e7f3f4db

SHA512
b91e57b1fd70dc00dc471e209adf6aa776f2549c75c28bb0f111cc07fad08e50ada4a79c616c5da88f465bf662585b5a1c34315cfd0006c656ea4c50dae16745

Download Submit
C:\Windows\SysWOW64\tf2sound.dll

Filesize
73KB

MD5
300e3ef9591bf60a9dbbfda4f7ea8405

SHA1
8d51225f42064590f0e96a00f6087df6170ce73a

SHA256
5fe1cd924e9bd5f956bd5c542b79107af5213d31b2c86c82d159b85fd1a60d5e

SHA512
cc5cdc8298bdd6241e44fe45daa78792dd1e664aa198e1a5115f7b7fe98c6005cc9bba324162460c4a86fdb6351db62494a7ea3f52cc12d8720690de51a22d55

Download Submit
C:\Windows\avp.exe

Filesize
34KB

MD5
d6baf5b17cdbcbcf037f2f4afd8b5885

SHA1
11fb63fc5d0c8832df7b1afed904e9a0a6e14328

SHA256
51255f37abb1e5c33a1616fadbe6f220bea1e1075839a43cd0c9b73a2dfe385d

SHA512
54828597eb26bbce1175578cac9288cc905a8d449f5e4c40b8f6c083e6526bc00df72ef00beca7c3dbcc31c9930cc4f1fb528df2f1780c2d7c8ca6126734efd3

Download Submit
memory/920-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/920-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/920-3-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/920-7-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/920-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2904-18-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-22-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-23-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-25-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-27-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2904-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads