00a290460af0c1b3050c96e3f52b0f7ed4fd8e515ac5255a66f415b58b455ddd

General

Target

2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
Size

298KB
MD5

2caa6c064b558c77571aaf44ebd90edf
SHA1

9f765d7359481b678eb7c588392c08786ec72558
SHA256

00a290460af0c1b3050c96e3f52b0f7ed4fd8e515ac5255a66f415b58b455ddd
SHA512

d6a31d6d6fd7ae004965d2aab68e772f81270721e64f7cdab883b88b5b437e866d16f48b5172aae29c6549d4a08fb5416e2eaa85a984b7b6fe3e84a1200ad906
SSDEEP

6144:TCFykMHajHCH3vvOQaBWjRS9nVW5GJZ2tNYLj8MfsZooE6q:TCFypHgHCXvvOfrVzYKj86s0L

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 set thread context of 0	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
3052	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3052	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	30
PID 2980 wrote to memory of 0	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
PID 2980 wrote to memory of 0	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
PID 2980 wrote to memory of 0	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
PID 2980 wrote to memory of 0	2980	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
PID 3052 wrote to memory of 1200	3052	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	21
PID 3052 wrote to memory of 1200	3052	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	21
PID 3052 wrote to memory of 1200	3052	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	21
PID 3052 wrote to memory of 1200	3052	2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2caa6c064b558c77571aaf44ebd90edf_JaffaCakes118.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-40-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2980-8-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-18-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-19-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2980-17-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-7-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-15-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-14-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-25-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2980-24-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-23-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-22-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-13-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-12-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-11-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-10-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-21-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-20-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-16-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-6-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-5-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-4-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-3-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-2-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-26-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2980-27-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2980-30-0x0000000000401000-0x0000000000438000-memory.dmp

Filesize
220KB

Download
memory/2980-9-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2980-37-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2980-32-0x0000000003800000-0x00000000038C1000-memory.dmp

Filesize
772KB

Download
memory/3052-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3052-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3052-38-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3052-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads