d678f1ba76680d2428ef998a58bcbfbe57406b96f3bf978570433cdb30e30b63

General

Target

18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe
Size

1.6MB
MD5

18843accc238fc0b7ce7b851ece8a149
SHA1

1671f02900fb2dc1f06005480bee68c419da4501
SHA256

d678f1ba76680d2428ef998a58bcbfbe57406b96f3bf978570433cdb30e30b63
SHA512

a1dd4d0b52c5329c0f221a9bd000182d3f92b6dccacffa3ac3caf2e23403106b8508360f2f98db46793c8c4c0ffa8ca5280b676160db08b3c51653732b4d8668
SSDEEP

49152:31R+OAGKRwtsCds9U68eu8SExZGJbPq89o9m8erX:37+o5sCds268evSExwV9o9mh

Score

7^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00090000000235d6-18.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
1392	ssinitar.exe
3488	setup.exe
3100	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4900	Rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3100	setup.exe
3100	setup.exe
3100	setup.exe
3100	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3100	setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1392	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	88
PID 1688 wrote to memory of 1392	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	88
PID 1688 wrote to memory of 1392	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	88
PID 1688 wrote to memory of 3488	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	89
PID 1688 wrote to memory of 3488	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	89
PID 1688 wrote to memory of 3488	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	89
PID 1688 wrote to memory of 4900	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	90
PID 1688 wrote to memory of 4900	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	90
PID 1688 wrote to memory of 4900	1688	18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe	90
PID 4900 wrote to memory of 764	4900	Rundll32.exe	91
PID 4900 wrote to memory of 764	4900	Rundll32.exe	91
PID 4900 wrote to memory of 764	4900	Rundll32.exe	91
PID 3488 wrote to memory of 3100	3488	setup.exe	93
PID 3488 wrote to memory of 3100	3488	setup.exe	93
PID 3488 wrote to memory of 3100	3488	setup.exe	93

C:\Users\Admin\AppData\Local\Temp\18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\fvltzf\ssinitar.exe
  C:\Users\Admin\AppData\Local\Temp\fvltzf\ssinitar.exe -pasdfghij -d"C:\Users\Admin\AppData\Local\Temp\fvltzf\"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\fvltzf\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\fvltzf\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\fvltzf\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\fvltzf\setup.exe" SEC
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3100
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe "C:\Users\Admin\AppData\Local\Temp\fvltzf\notedll.txt",acMainDos C:\Users\Admin\AppData\Local\Temp\18843accc238fc0b7ce7b851ece8a149_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\danulev1.bat
    3⤵
    PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3240,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:8
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\danulev1.bat

Filesize
372B

MD5
152b7ed0258726db0060def507227365

SHA1
0c3ba9849548a520d66c8ea42d91bf35b8446629

SHA256
51ae2465c707642cbcdb701f71046e1a4149ae2656322439671227564f48beb4

SHA512
884a2056c9fc24007acf7de7f1c7f2b0f3c59931b83259e3eb087cd9ed06dd08f00f45f72d833e86f4372b09b4626ba90b121de7f6e8f3b5606212637bb67111

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvltzf\notedll.txt

Filesize
517KB

MD5
6d86f847e931ce8117c50278b0b0a81a

SHA1
12db767f4b001f563165da2200e68e8ba15c1d27

SHA256
db44c6cf1d94eaac7cb7f6a4a35f396640a5d9b67359a75875bc7eec51925d71

SHA512
4ac367dca7cb001d5b765c707e005f2e08ef2977ea7236d71188220a7eb7ba17860cd642f4e1981b5f9e08c5dbe37d83a6c3966d3bc4234617831b4e9b1be41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvltzf\setup.exe

Filesize
550KB

MD5
4e472e003ee3994635ecb967c8581e1b

SHA1
4d9c60640ab8f0df4dd4fb0ecabd1b49818d48e7

SHA256
dfe6bf380fbde2ccfed76143b0e933231a6b72d970ec8949781c994d83ea9894

SHA512
671b8b0087a1aa14574a613f23b8a30a8622e79e701a071d8aeffc0a0b1aa1b60abf51052c17e341f6c958754e1131b2173c21d3a0ff19c50bba94eb0c6509ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvltzf\setup.txt

Filesize
550KB

MD5
531734e8f228e931663971f7162879fe

SHA1
e049aa2ffdfe9a95d6d7ba49a1e5f553f16a2cf6

SHA256
af1e5c6a29f8b30bed623a644bfe7d7bc6d194db8798f9eb3692877dd4ce3672

SHA512
634354f9feeacd8ba626bf830506dfa7adfbc1e26fc904b54d5f5ff9cc011afed13bd39cc708e5e8bac588ad898480bcb59d8ceeeb91014eefbe5364f13eecae

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvltzf\ssinitar.exe

Filesize
1.2MB

MD5
ef8d72a962c1c0b2e7d8858fc1eef73d

SHA1
29c67925d39458abf799a66e689a714558131f73

SHA256
1de80dd1f16cbb2d17d80e2559bf7689dba8883e84de8ce557e02fd71506f9dd

SHA512
12d2fccf6055bf63d0a8eefc469eae45394b0b0da41fdc429c47f318caeaf712515c478e14766ea8e980a95626e1746d546238b2af42019666682a61ff78d8de

Download Submit
memory/1392-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1688-27-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1688-0-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/3100-28-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/3100-29-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/3100-30-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/3488-23-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3488-26-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads