2fe75f1af96113739774688d392d325417fd10b11f0cc5dab4af9bf17f204a5a

General

Target

28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe
Size

496KB
MD5

28a1e550af11ae901bd61526c44dc243
SHA1

17e432ca6f73250545299b9c923614d59d3d3125
SHA256

2fe75f1af96113739774688d392d325417fd10b11f0cc5dab4af9bf17f204a5a
SHA512

c34d8002255afd8399fc332f44eb036fd634739f991cdd781ccf77a256d4676746acf1df44eb5448c351eff2530b7363dde53be2265fd9b5e1c27c40e0274367
SSDEEP

12288:DJEGTQhlMS8e8vifddJht0K96J/x497jP:DaG1S8VqFdJP0K9g/x0P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2384	COPIED~1.EXE
2532	CONGRE~1.EXE

Loads dropped DLL 6 IoCs

pid	Process
648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe
648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe
2384	COPIED~1.EXE
648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe
648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe
2532	CONGRE~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CONGRE~1.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	CONGRE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	CONGRE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	CONGRE~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2384	COPIED~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 2384	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	30
PID 648 wrote to memory of 2384	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	30
PID 648 wrote to memory of 2384	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	30
PID 648 wrote to memory of 2384	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	30
PID 648 wrote to memory of 2384	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	30
PID 648 wrote to memory of 2384	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	30
PID 648 wrote to memory of 2384	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	30
PID 648 wrote to memory of 2532	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	31
PID 648 wrote to memory of 2532	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	31
PID 648 wrote to memory of 2532	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	31
PID 648 wrote to memory of 2532	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	31
PID 648 wrote to memory of 2532	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	31
PID 648 wrote to memory of 2532	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	31
PID 648 wrote to memory of 2532	648	28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28a1e550af11ae901bd61526c44dc243_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COPIED~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COPIED~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONGRE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONGRE~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONGRE~1.EXE

Filesize
660KB

MD5
60f6f6baab2cc8c6e227566914f42c9d

SHA1
b6499afd58318bdc4360eb24e230d68afc7fd0ea

SHA256
f5c2f4e5b53ff49743b02a04730d63c4c6d11a5e8d03d9ddf011a54f3b64a166

SHA512
9c2c26d4c883dbef84ddaec138b2ce76cd7b19ae96f22e210c38badc8382c9b4e7d28682a91425917d33910d2ae3282059f2a506fd0ad7675f4a861eb4e1c7d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\COPIED~1.EXE

Filesize
204KB

MD5
9c57406870d1daf78200d6219df709e7

SHA1
eb208397b674330fce66070966fb36e0656ede48

SHA256
2dd20589cc3cdd49112d4deabfc77237221eec1ef7b2af76557269eb1067f384

SHA512
1c9ce4f11d281723abec04d60b180feb3b820098b49c341e0c7eb481a03610349aa4bf80ef06dc40a936ff3a0054fa493eed2fedf20b50b6a9d8701a9a025563

Download Submit
memory/648-25-0x0000000003580000-0x00000000036E3000-memory.dmp

Filesize
1.4MB

Download
memory/648-24-0x0000000003580000-0x00000000036E3000-memory.dmp

Filesize
1.4MB

Download
memory/2532-26-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2532-27-0x0000000000509000-0x000000000050A000-memory.dmp

Filesize
4KB

Download
memory/2532-28-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2532-30-0x0000000000509000-0x000000000050A000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads