38ca77076a19c8d42f0d3213e1d64c66b1dd4a07b9fcc9b26d086ed527afa1a9

General

Target

4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe
Size

250KB
MD5

4d3d3fccd25814b3f695c68bc7a83084
SHA1

6668fa14f2f1c1bbc1b66be5d0f9a645fbc17cb7
SHA256

38ca77076a19c8d42f0d3213e1d64c66b1dd4a07b9fcc9b26d086ed527afa1a9
SHA512

00f5030da406037b91b7da5b87e958bfaa418a554056a9a23032de2f4198ec3527db53ca798db5ebae5f9bf8a1cea17c282d8f6fe912553be56bf70a3dfba265
SSDEEP

6144:b/kokX5W/IuMTNN17UwvP6bQ7yMP+DE827tW8jX:A15W/IHHl6b7MP+Dd2UWX

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\ram32xp.dll	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe
File created	C:\Windows\inf\ram65xp.dll	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2672	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	WINWORD.EXE
2672	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2780	2804	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2780	2804	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2780	2804	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2780	2804	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2780	2804	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2780	2804	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2780	2804	4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2672	2796	explorer.exe	32
PID 2796 wrote to memory of 2672	2796	explorer.exe	32
PID 2796 wrote to memory of 2672	2796	explorer.exe	32
PID 2796 wrote to memory of 2672	2796	explorer.exe	32
PID 2672 wrote to memory of 1720	2672	WINWORD.EXE	34
PID 2672 wrote to memory of 1720	2672	WINWORD.EXE	34
PID 2672 wrote to memory of 1720	2672	WINWORD.EXE	34
PID 2672 wrote to memory of 1720	2672	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d3d3fccd25814b3f695c68bc7a83084_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe "c:\work_related.doc"
  2⤵
  PID:2780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\work_related.doc"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
c6a85ea5e8b514fbacfd31de5e8c733f

SHA1
03009b50167168147f1c8248d02eeaf54ccc6325

SHA256
6ee72a65ebed01fee9128c57fe040cc3b7e4d6971577e79bd742a65c07e1363e

SHA512
aaa621b9793ec31a8353fa5afb97d12fc81bed1055409d402de7a02a145c4fea1f163b6c0538510a21ab20c2a5a384e8e31e32e8cb972cb459f0c36fe1bff3e8

Download Submit
memory/2672-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2672-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2804-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2804-1-0x0000000000230000-0x00000000002AA000-memory.dmp

Filesize
488KB

Download
memory/2804-2-0x0000000000459000-0x000000000045A000-memory.dmp

Filesize
4KB

Download
memory/2804-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2804-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2804-4-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2804-9-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2804-8-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads