d3972908c2634c7365dde347164754184efc6ae90bcc4a623f3a175e7e690892

General

Target

357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe
Size

112KB
MD5

357840d61505ea5fcc44aa0bea813807
SHA1

f48fa76ef5daa0730387119dd0da019faed54bbf
SHA256

d3972908c2634c7365dde347164754184efc6ae90bcc4a623f3a175e7e690892
SHA512

59792d79b0fd1896f8aff5ef637edfa1c0d58ba849bda45e9df013cc5278b8e5c34cd4df1adcf476fee884e33ce927c0da4eb6dfa66705b824f87fa879e97e05
SSDEEP

3072:VjskZTe5bPddPClXwfnSaaxavca7qeeBeKPoiSWyH:VjzVWzddPwwfHaxPa72cK2/H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1848	avp.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe
1236	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\od3mdi.dll	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delplme.bat	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1236	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1236	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 3048	1236	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe	86
PID 1236 wrote to memory of 3048	1236	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe	86
PID 1236 wrote to memory of 3048	1236	357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\357840d61505ea5fcc44aa0bea813807_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c delplme.bat
  2⤵
  PID:3048

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delplme.bat

Filesize
306B

MD5
4e1ffac9f15d30845e51229db90ed1d1

SHA1
778e99b32e0bb709f3bb310b522ba8fb9579261d

SHA256
fcf842144597e8c988190ea4fe19bd6c9edd1d8d7b765ebbf16f646c12c79def

SHA512
162531906caee063a6d01e96c3e6ef50771ea98f56f0b2575dacac0f22ba048d9f14754b43692d50fac56863583c77da76fee765e5741ad39415daffdca906ea

Download Submit
C:\Windows\SysWOW64\od3mdi.dll

Filesize
238KB

MD5
1bebb7fd2c7c824526e02fa1510a683c

SHA1
bf4ca65eecd6859ec37c58c6254ab8645ecec232

SHA256
4e16ce800ee8b212aa816484f54ab93686e03feaa9d987e1601eb30b1de80f45

SHA512
1f0f9fc982adffb245ed2e52fcd2fd3354655018f69c13284f3995feb52775b9dc23e3839f2e5df647e96d493cda49666656e23e24849fbe12e86f542d81ffe9

Download Submit
C:\Windows\avp.exe

Filesize
18KB

MD5
7c69a12311f8e84bd050a9af991e464f

SHA1
1b75740fd0f733503af9bdab5fef2d4b0820bab8

SHA256
92756a98467956036111667df9f3174ee71cfd935d091a2c1f6d51e4cb48c652

SHA512
9dc6f15ba0d567ff087b0aff34267b60e3eaf75b94c8dd21cba8f8beac2e7504e6fb53693e5c37af99e88625b8ceb3f46d805c66d8a5b72e3fb1ec0e6b50ac37

Download Submit
memory/1236-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1236-1-0x00000000021A0000-0x00000000021A2000-memory.dmp

Filesize
8KB

Download
memory/1236-6-0x00000000022B0000-0x00000000022F8000-memory.dmp

Filesize
288KB

Download
memory/1236-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1848-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1848-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads