8c5278c91cd1b5f00f5af6505a14feb319345b88f41459099680ff22651cd5ad

General

Target

21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe
Size

90KB
MD5

21461c16f10d28f8d3e2582ce2e1ab68
SHA1

e4388b98152415f39c69072055ef4d9aab8e1294
SHA256

8c5278c91cd1b5f00f5af6505a14feb319345b88f41459099680ff22651cd5ad
SHA512

13ac88b20b1bf5899af4721202b075cec75faaec0834aa2005b5576458bfd45f9bfd39a6b650b4bedc7cc96ea4b2418b83eedf2562432482d4787c99ffdef0df
SSDEEP

1536:3Iyn1kJtyFyweuKSSv/ivay852PD4n+DYur8FMDbanPQu4bV23hf2NN8fllkA:3IVtypKSSvmab2PEn+DYuAFFbyQxau

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1196	avp.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\odmedia9.dll	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delplme.bat	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2240	1196	WerFault.exe	28

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2232	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2232	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2240	1196	avp.exe	29
PID 1196 wrote to memory of 2240	1196	avp.exe	29
PID 1196 wrote to memory of 2240	1196	avp.exe	29
PID 1196 wrote to memory of 2240	1196	avp.exe	29
PID 2232 wrote to memory of 2704	2232	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2704	2232	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2704	2232	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2704	2232	21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21461c16f10d28f8d3e2582ce2e1ab68_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delplme.bat
  2⤵
  - Deletes itself
  PID:2704

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 120
  2⤵
  - Program crash
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delplme.bat

Filesize
306B

MD5
b26e13fbf19ec29e7116c06dd900d0d9

SHA1
ebf5ae34d8d0f3cbe4da8de0a02462c7dba357e7

SHA256
62eb093693c0992fbc71ad3149f01738fc15b11a19215c02c760555c92d48cf5

SHA512
860e1a5679323b53389bf21e2562bad4e952db10540ab8c8b3e2d4d010405b14e8ab26db023dec81a9a676cad7a739792bdb513885c3f799335e4e1d55ae5ac8

Download Submit
C:\Windows\avp.exe

Filesize
18KB

MD5
e5892842a84cf0029b50bb20a41108e2

SHA1
8b1d61098ce79a95b5f1ae03bbb9a8de9a4864d4

SHA256
8c3b2bf60e35d409ed9f18f7114540e6f2b8ad51614e67ea49c91f5d00370dad

SHA512
632c2b0bfed98a023bfc025b48952ddfb2a7dc21b023eb029d988f20e3d6df8e0ddd759bb564ab0719c8503bf9e1013c2b98e35d394194e11ea0313623004627

Download Submit
\Windows\SysWOW64\odmedia9.dll

Filesize
193KB

MD5
c8be08aaceeead8d4133c86a0ccbb935

SHA1
cd3368147eedabe339a6f97ac07785a95ef297c4

SHA256
6f46bff9194860b3de54c87ea41d98cdbdf30e128f43c0076643068380926992

SHA512
1261709b0fb0bf77d36025b6bd367254e0d5d686fb1c4e8c55354e0577ab3f1c35073d6818f14575418a1f90cffa50ba37d89e472f66e22d3671ac684ff66237

Download Submit
memory/1196-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2232-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2232-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2232-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2232-5-0x0000000000460000-0x000000000049B000-memory.dmp

Filesize
236KB

Download
memory/2232-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2232-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2232-21-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads