29a103e0c1ff76627ab5856fb98dc0f8d052839c8d6a051819527bf2fe721215

General

Target

36e257f1720a643387a3527dd727a021_JaffaCakes118.exe
Size

82KB
MD5

36e257f1720a643387a3527dd727a021
SHA1

e8f62579371b07b87ced23ed7fa3057085b3f6f9
SHA256

29a103e0c1ff76627ab5856fb98dc0f8d052839c8d6a051819527bf2fe721215
SHA512

716324a2a982630975162459d4b32619e0154f6d55d6df95433926b1466aaf22adc9eec753734bbdecf48041588d726cf52bfd68021a06e6e4ad5f32d743b73e
SSDEEP

1536:9ShMseNBOVzwnFixjoP7+y3v4SFQYPwo0X2pekLNcSFlupQBSvM:9ZJUVdOKG4Oa2p/iSFlu21

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Òøºü²å¼þ\Parameters\ServiceDll = "C:\\Windows\\system32\\GlkWJLJIgNoRa.dll"	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023443-1.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
3408	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe
4460	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3408-2-0x0000000010000000-0x0000000010020000-memory.dmp	upx
behavioral2/files/0x0009000000023443-1.dat	upx
behavioral2/memory/4460-16-0x0000000010000000-0x0000000010020000-memory.dmp	upx
behavioral2/memory/4460-25-0x0000000010000000-0x0000000010020000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GlkWJLJIgNoRa.dll	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe
Token: SeDebugPrivilege	4460	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 2336	3408	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe	85
PID 3408 wrote to memory of 2336	3408	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe	85
PID 3408 wrote to memory of 2336	3408	36e257f1720a643387a3527dd727a021_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\36e257f1720a643387a3527dd727a021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36e257f1720a643387a3527dd727a021_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Del1.Bat"
  2⤵
  PID:2336

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Òøºü²å¼þ
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SvzxArFYfk.dll

Filesize
68KB

MD5
8260853572cb6f5594fccd918605ba09

SHA1
385c43e34af466239cd98ca0d9be01d3786dc654

SHA256
af5ffd703568757c6dd8711b5b786cdad9c9a67cd743655d894e7f9f69919006

SHA512
03f2b07eb830fbf7a70685b2ff70e0f3bed5e3e7b687a3ad47044fa4b5eda36e7bcc3643641b555eeeed6d9e4be2164c6f1f55d8517920b8c611348004ff1932

Download Submit
C:\Users\Admin\AppData\Local\Temp\Del1.Bat

Filesize
192B

MD5
a410454b0a23a09ab9b79dfac2aa4ff6

SHA1
ccf049fec4e83c9d6d3290921a1c18c801d0982d

SHA256
598052aff9b460c55a3c8f1820e24d1bcc0fe054eaa9e4b3f1c28df6cf0b1eb3

SHA512
2befd7e666554a2ce7a1aa8d0c6c584bc8db1b2e124f7c67099ef24242b7e397fff8eea6b5c89e676280de5a6c1fd8c7d9d855a1d22252472d6a9a0f9391caae

Download Submit
C:\Windows\SysWOW64\drivers\beep.sys

Filesize
25KB

MD5
4178820661c549189a6d1d97c0aa5466

SHA1
0ac9e7d4f165be1b751d1722665a1f69e8138c9b

SHA256
f91f28ab82966f904c318bd45729b8a6962abcf6c6a1a6854411f02a93872bbd

SHA512
31a43f5edbee09aecc2afaa96f7ced02662578af915e334d57cf2c6b1ef3b99df5c4df26126118720634a0df107d71981bbb041f0e2b6fe8ee576c5b4d256c88

Download Submit
memory/3408-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4460-16-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4460-25-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads