d503cb7500234cc91cf35ae3cdbbe5ab7d25d9530f284a023e0ad5cce6f7862b

Reason

Machine shutdown

General

Target

3d215871a447589efa3023497eb924ed_JaffaCakes118.exe
Size

477KB
MD5

3d215871a447589efa3023497eb924ed
SHA1

b76c312bb5d86bab03d3d01e0d0719da918e5f38
SHA256

d503cb7500234cc91cf35ae3cdbbe5ab7d25d9530f284a023e0ad5cce6f7862b
SHA512

eab058e1bda76e361354b6988cad0a5a4ffa65a8d2ac99464060bf0f916576b520e9027de830cedadf0b74894aafa512d9c98a2ead788fb1714563a4523f5705
SSDEEP

12288:FsvU983wtVMtdaMjY6r+kRkBb63vd1Mp8upU5ks4FW:FF2w7Ot+w2Y1Mp8ul4

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2268	T3K9ZAW7.exe
4024	wot.exe
2216	xot.exe

Loads dropped DLL 1 IoCs

pid	Process
5080	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Odovevo = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\dFXCol.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	wot.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2268	T3K9ZAW7.exe
2268	T3K9ZAW7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4024	wot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2268	T3K9ZAW7.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2268	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	83
PID 5036 wrote to memory of 2268	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	83
PID 5036 wrote to memory of 2268	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	83
PID 5036 wrote to memory of 4024	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	84
PID 5036 wrote to memory of 4024	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	84
PID 5036 wrote to memory of 4024	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	84
PID 5036 wrote to memory of 2216	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	85
PID 5036 wrote to memory of 2216	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	85
PID 5036 wrote to memory of 2216	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	85
PID 5036 wrote to memory of 3936	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	86
PID 5036 wrote to memory of 3936	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	86
PID 5036 wrote to memory of 3936	5036	3d215871a447589efa3023497eb924ed_JaffaCakes118.exe	86
PID 2216 wrote to memory of 5080	2216	xot.exe	89
PID 2216 wrote to memory of 5080	2216	xot.exe	89
PID 2216 wrote to memory of 5080	2216	xot.exe	89

C:\Users\Admin\AppData\Local\Temp\3d215871a447589efa3023497eb924ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d215871a447589efa3023497eb924ed_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\T3K9ZAW7.exe
  T3K9ZAW7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Users\Admin\wot.exe
  wot.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Users\Admin\xot.exe
  xot.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\dFXCol.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:5080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del 3d215871a447589efa3023497eb924ed_JaffaCakes118.exe
  2⤵
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dFXCol.dll

Filesize
103KB

MD5
b830953856e06807f6419663f6d05cc6

SHA1
1985aa83dbcaad52a6098a7bffcd8688f0d203aa

SHA256
ed89baf97368e00ae45aa798fda02ed521557898bd6c9c50b2b98a035dceb81e

SHA512
6553f322de9e87e3bff14a08c500b69aa2ce3a0946e25bf9464c7d7dca22d96ef2da2fe00ed86e2d687a9f8f4345ab5189130a7c95606275df19d2f9169b354b

Download Submit
C:\Users\Admin\T3K9ZAW7.exe

Filesize
140KB

MD5
13af4de26b3ee9d02e8dd721f6b81fe9

SHA1
6036d52a71cc9a5f176db6d40cdea0e8d1b023ce

SHA256
10301813c139bbb2f2cbc5a47a8b78989c37cf56bfcdf8cbb2fd324057a799e3

SHA512
05c69348ac57578fdf81c035350ee6856ee17a72c1c1359013d5ec50430804c781753eb995870262157ba557c102285a4b012c2e53a73971213d9fdb269faa66

Download Submit
C:\Users\Admin\mepam.exe

Filesize
140KB

MD5
7b8b9f2591b98b37d0d78c46d8eb9f6e

SHA1
7968edb8ad5173268e65f220d30088362a39afe2

SHA256
2e6f84c22dcf6b2ced595f49ffa585a28c5067cc9ec3d4071e83ed5d44a908bd

SHA512
c610d514d021afa0d576652c4aa0e4c412ed8771629c1fac385cad9588feb4fee12d4b217d0404886a42f40c7fcdcac4454b3ca911120c4993b10d3c39ca9c65

Download Submit
C:\Users\Admin\wot.exe

Filesize
175KB

MD5
c9b7e9a83250faf3135bb70343030c16

SHA1
f738cf9018d564ec802b684e38b54ecdf0a679f6

SHA256
26d3130abf8d1f0d234e7be1f28de877d7ae871ec96f179f9d49d8156c20c1ea

SHA512
2c574af59c9131a2917024f644176ca6311e6433be53d9602e4db873d01da16f9e1f4dc7952b9b667a4f8fac346037e30d5337db5cd895c13b51635c44a024c4

Download Submit
C:\Users\Admin\xot.exe

Filesize
103KB

MD5
b47a4d45ef404a997dcd2f98fe4a1420

SHA1
e55a876e4098a705be35e1a9c78c65a97ae5f27d

SHA256
9863f46ae1d3e2f835b713e2fb32c831e27941b4cdbb11663780e2101df6289b

SHA512
1f83decef10da3e7537dde84cebfd4ec2ca7dab05e3fb72237ad2d627f544d493d501822bf0927bc3cc061442cbe779cf054b87da1decc77a3b9eb6fa07ebd20

Download Submit
memory/2216-18-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2216-17-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2216-16-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2216-31-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4024-19-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/4024-28-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4024-20-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4024-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4024-14-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5080-27-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/5080-30-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/5080-29-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads