909be7eaf035cf9ea1e5364c4efc217e030bd237dac4a417efc1ec5a06a1ffbc

General

Target

5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe
Size

1.3MB
MD5

5bea799350fa5f781fbcf4cd8010cf1e
SHA1

629df4dd24ccf58e8d01182de37aef5fca1316f2
SHA256

909be7eaf035cf9ea1e5364c4efc217e030bd237dac4a417efc1ec5a06a1ffbc
SHA512

6446bf8f8c6bfc0acfe845f99bd6567ff7efc26f70477292e1adc2dc383aecd7e3a749d6edb2fba0da6d354607a0e6246897e941d3fe9d6655b6f2909827879e
SSDEEP

12288:L494xOTZzCrBKzirABYP/qwtZH6Y6gVtKtpm01M3oaj+nlLxIaRfbYWMvzGEvP0u:094Ulzm4zGJtZTZVtKa0nFnxjDBmzJ3l

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	soundman.exe

Executes dropped EXE 2 IoCs

pid	Process
3612	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes11811.exe
3256	soundman.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	soundman.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\help\5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes11833.exe	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3028	ipconfig.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2800	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe
3612	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes11811.exe
3256	soundman.exe
3256	soundman.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 3612	2800	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe	83
PID 2800 wrote to memory of 3612	2800	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe	83
PID 2800 wrote to memory of 3612	2800	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe	83
PID 2800 wrote to memory of 3256	2800	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe	85
PID 2800 wrote to memory of 3256	2800	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe	85
PID 2800 wrote to memory of 3256	2800	5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe	85
PID 3256 wrote to memory of 5048	3256	soundman.exe	88
PID 3256 wrote to memory of 5048	3256	soundman.exe	88
PID 3256 wrote to memory of 5048	3256	soundman.exe	88
PID 5048 wrote to memory of 3028	5048	cmd.exe	90
PID 5048 wrote to memory of 3028	5048	cmd.exe	90
PID 5048 wrote to memory of 3028	5048	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes11811.exe
  C:\Users\Admin\AppData\Local\Temp\5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes11811.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3612
- C:\Windows\help\soundman.exe
  "C:\Windows\help\soundman.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\syscon.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5bea799350fa5f781fbcf4cd8010cf1e_JaffaCakes11811.exe

Filesize
1.1MB

MD5
b24283c67e434504d6968daa4074d01c

SHA1
c2db7a02a9893dbd4b3b9324732254097c3fd12b

SHA256
412488f102d1e9c910d5b83082e633afb657269467b789366aed3ca09cccef94

SHA512
06f34ba93c89ce0cd9feffdaacf065d19d98492b8cf31beb4a309a5e4eaffac73f2b61ff7df7fac96a406a4ed4c0f5617656c05eeca1783c71c0c47dbe600e7b

Download Submit
C:\Windows\Help\soundman.exe

Filesize
168KB

MD5
79703f07eaed6e07bb464f4c3bd69ffa

SHA1
792e87eeb73a115346b87c3703d8d119284da4e6

SHA256
5ef2fa8f905278c370000dea38b4b0d4f60e7e9e85a7b39b1e293597566b05fa

SHA512
8435454123dbe9861471ef2628fb63700f9940bd733b6590e9eee6beddf13a2b0875c075505a8d2daaf0c0ad2cef9a0f7efb3ac1e042467794b15ca1d78213d3

Download Submit
C:\syscon.cmd

Filesize
33B

MD5
7c9c0462cc88d119e8d0b7b94972ddf4

SHA1
533a0e4394900b41f13ca58cc8283f4ca096bfa6

SHA256
9016c0ee321e2831c666140edcda306ae9963455ee13cd7d286a31a2ee80834f

SHA512
383f9aab695c5e5b307cf57b6f074e8b4cb9267f3b87cedeef7d68bce0fbacdf62d2ab5b6a48c763636e71685e46a73d05932f36c1dd7f2083986989fd23b68c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads