f39df327fe1c1bea6d7b8d9c9723d5c414e0604c9e3deb3254e4903847738e13

General

Target

699ef2cb318463cf40ccb43b026c008f_JaffaCakes118.dll
Size

406KB
MD5

699ef2cb318463cf40ccb43b026c008f
SHA1

580a3087ca9ff60bd1b103265332f9346c2c9fe1
SHA256

f39df327fe1c1bea6d7b8d9c9723d5c414e0604c9e3deb3254e4903847738e13
SHA512

394b15ee032b7c7968e3faec36b80407e368f8bf40796b7d98946ea7751bac6fe363bc394daa972ff245cadaa0fdaf594915c705801717a5c2cadee585dd1c23
SSDEEP

12288:aYwP2g5kEA+KZB/lGrKAvLCpqR6uYLQhpLnht:Y2n+KZNvY1j3Lnht

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.Net CLR\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\699ef2cb318463cf40ccb43b026c008f_JaffaCakes118.dll"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	2996	rundll32.exe
Token: SeIncBasePriorityPrivilege	2996	rundll32.exe
Token: SeIncBasePriorityPrivilege	2996	rundll32.exe
Token: 33	2072	svchost.exe
Token: SeIncBasePriorityPrivilege	2072	svchost.exe
Token: 33	2756	rundll32.exe
Token: SeIncBasePriorityPrivilege	2756	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2996	2952	rundll32.exe	31
PID 2952 wrote to memory of 2996	2952	rundll32.exe	31
PID 2952 wrote to memory of 2996	2952	rundll32.exe	31
PID 2952 wrote to memory of 2996	2952	rundll32.exe	31
PID 2952 wrote to memory of 2996	2952	rundll32.exe	31
PID 2952 wrote to memory of 2996	2952	rundll32.exe	31
PID 2952 wrote to memory of 2996	2952	rundll32.exe	31
PID 2996 wrote to memory of 2328	2996	rundll32.exe	33
PID 2996 wrote to memory of 2328	2996	rundll32.exe	33
PID 2996 wrote to memory of 2328	2996	rundll32.exe	33
PID 2996 wrote to memory of 2328	2996	rundll32.exe	33
PID 2072 wrote to memory of 2756	2072	svchost.exe	35
PID 2072 wrote to memory of 2756	2072	svchost.exe	35
PID 2072 wrote to memory of 2756	2072	svchost.exe	35
PID 2072 wrote to memory of 2756	2072	svchost.exe	35
PID 2072 wrote to memory of 2756	2072	svchost.exe	35
PID 2072 wrote to memory of 2756	2072	svchost.exe	35
PID 2072 wrote to memory of 2756	2072	svchost.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\699ef2cb318463cf40ccb43b026c008f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\699ef2cb318463cf40ccb43b026c008f_JaffaCakes118.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\SysWOW64\rundll32.exe" > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ".Net CLR"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\users\admin\appdata\local\temp\699ef2cb318463cf40ccb43b026c008f_jaffacakes118.dll, Launch
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-34-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2072-31-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2072-11-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2072-33-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2072-47-0x00000000746A8000-0x0000000074707000-memory.dmp

Filesize
380KB

Download
memory/2072-46-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2072-28-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2072-32-0x00000000746A8000-0x0000000074707000-memory.dmp

Filesize
380KB

Download
memory/2072-35-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2072-26-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/2072-29-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2072-30-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2756-51-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2756-41-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2756-43-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2756-42-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2756-61-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2756-45-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2756-57-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2996-27-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2996-25-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2996-24-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2996-22-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2996-21-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2996-20-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2996-19-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2996-18-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2996-17-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2996-16-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2996-13-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2996-2-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2996-10-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2996-0-0x0000000074570000-0x00000000746EA000-memory.dmp

Filesize
1.5MB

Download
memory/2996-7-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/2996-8-0x0000000074707000-0x0000000074708000-memory.dmp

Filesize
4KB

Download
memory/2996-9-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download
memory/2996-1-0x0000000074590000-0x000000007470A000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads