e0a14169fa062d1643037947bec6c54b7fb883443bc9fc1d7b9f1845d18d5e96

Reason

Machine shutdown

General

Target

6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe
Size

645KB
MD5

6345f945e3cb34ad1b03464980207c62
SHA1

d7972184eb7483022b0e5be39583518762144741
SHA256

e0a14169fa062d1643037947bec6c54b7fb883443bc9fc1d7b9f1845d18d5e96
SHA512

205b397a1813bb5a3be921b02ff9e7ebef8a54d7f0a925e19c5387f5208fae60fdce5155ba99beeb75ce9fe393fbe7c113cdcf6394915ba3a1487f46a1905513
SSDEEP

12288:eRRbwLC2zgOEntneFQxaljB36HmQTvtYUYIGCw/8PT4gwDG3Kgt7o9:wMn0OE5S936rTms13JK9

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5012	H576S7OcbFMSL4lbA6c9.exe
2600	job.exe
4016	joc.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nhazevev = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mcapr142.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	job.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	H576S7OcbFMSL4lbA6c9.exe
5012	H576S7OcbFMSL4lbA6c9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2600	job.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5012	H576S7OcbFMSL4lbA6c9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 5012	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	84
PID 3968 wrote to memory of 5012	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	84
PID 3968 wrote to memory of 5012	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	84
PID 3968 wrote to memory of 2600	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	85
PID 3968 wrote to memory of 2600	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	85
PID 3968 wrote to memory of 2600	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	85
PID 3968 wrote to memory of 4016	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	86
PID 3968 wrote to memory of 4016	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	86
PID 3968 wrote to memory of 4016	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	86
PID 3968 wrote to memory of 3992	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	87
PID 3968 wrote to memory of 3992	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	87
PID 3968 wrote to memory of 3992	3968	6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe	87
PID 4016 wrote to memory of 2560	4016	joc.exe	89
PID 4016 wrote to memory of 2560	4016	joc.exe	89
PID 4016 wrote to memory of 2560	4016	joc.exe	89

C:\Users\Admin\AppData\Local\Temp\6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe
  H576S7OcbFMSL4lbA6c9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5012
- C:\Users\Admin\job.exe
  job.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Users\Admin\joc.exe
  joc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mcapr142.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del 6345f945e3cb34ad1b03464980207c62_JaffaCakes118.exe
  2⤵
  PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mcapr142.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe

Filesize
132KB

MD5
c17630f33b3ae8508ee24c2f910ebc8e

SHA1
66b9dcea656feb35234fe35a6c1d831b06f665a2

SHA256
d8013736d35ec810f213d09270f2bbd3f87505900cc8ed4d16d6c18eafcad9fb

SHA512
ca256e72ccdf366bc1801f56dc3724dea1b7cdcc546627f199aeb7abbf2ad25b3162a238d375da404117417cab021f5794f431e1b5220804451655e2f9375a51

Download Submit
C:\Users\Admin\job.exe

Filesize
177KB

MD5
2f0c6d4c58ed356e8ca16499260250fd

SHA1
5351a4d7e65ee768b49ceb7885ebfc1efc53d10d

SHA256
8b92d5a0b0b480ead51f60df0b2638ee214f71152bcb3dfad0509b2b0fc956b9

SHA512
1bb21b0b0bd80017e12f83b153826f4f93ea8550c7810ba34671e20231e3303977466e73081df3969db43c40b4217eeb52968eb01a87ace0dfa2e2b01d6e7ed0

Download Submit
C:\Users\Admin\joc.exe

Filesize
109KB

MD5
f917c58a1f8d689408f37eac2e9765a7

SHA1
e1d5cbbbf0cc0953f89ab8dd873307a78988485a

SHA256
d4e1b453dc70d6296e90cf0c2bc6d3ca265e1e899078d4eaec79d2dc0199909c

SHA512
119b92c1824c96337606b833bd971feaad5a20815994d4cffcd441d358b847101295c78fff456997b311af457a09c187658d517d8486177ecf72f0b0212c52d0

Download Submit
C:\Users\Admin\loiyox.exe

Filesize
132KB

MD5
3585a6dc0f1c2307bb2743af42b114bd

SHA1
d96f41f9ea890aaf47f8cd0d0556c203adcd651f

SHA256
a8df08449e168468c91aa22f75f891ce13cd5900bfecabd2f9078c35d5f7f1de

SHA512
f3008c3a3efdb5ebf4fdabc8e23d29850761871941875e41e3f47acd95e44b891c4a043ab36324abad2db087d69ee32cd4fbe18adad8cd1308a3b941912e4e73

Download Submit
memory/2560-29-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/2560-27-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2560-28-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/2600-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2600-20-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2600-19-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2600-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2600-30-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4016-17-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/4016-31-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4016-18-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/4016-16-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads