1b6a906de7a1a06b29bced6ef429d66e2bddfde2ad4168be6c567bef6511c51e

General

Target

866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
Size

2.3MB
MD5

866d09aa4300132477edc427dec47ac1
SHA1

270d05cea6777b539c0be0ba769f9cd3785a0fe1
SHA256

1b6a906de7a1a06b29bced6ef429d66e2bddfde2ad4168be6c567bef6511c51e
SHA512

441b8cafdef3c498ef58cf1774e0d24844ad03d7c7503ca3309146c70e0d81a272ef98707a0e4ccad90f3daa1dce7a35a6982e75f7b1fbe61510c6ecd4d5739c
SSDEEP

49152:YKpX2rKFo0aSEHv72DFGY6At2QL9XGHQ+dd:Ye2iWHv72N192H

Score

7^/10

aspackv2 bootkit discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00360000000142bc-30.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	ssinitar.exe
2752	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
2200	Rundll32.exe
2752	setup.exe
2752	setup.exe
2752	setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssinitar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2752	setup.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2752	setup.exe
2752	setup.exe
2752	setup.exe
2752	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2752	setup.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2348	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2348	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2348	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2348	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2200	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2200	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2200	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2200	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2200	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2200	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2200	2560	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2992	2200	Rundll32.exe	32
PID 2200 wrote to memory of 2992	2200	Rundll32.exe	32
PID 2200 wrote to memory of 2992	2200	Rundll32.exe	32
PID 2200 wrote to memory of 2992	2200	Rundll32.exe	32
PID 2780 wrote to memory of 2752	2780	taskeng.exe	35
PID 2780 wrote to memory of 2752	2780	taskeng.exe	35
PID 2780 wrote to memory of 2752	2780	taskeng.exe	35
PID 2780 wrote to memory of 2752	2780	taskeng.exe	35
PID 2780 wrote to memory of 2752	2780	taskeng.exe	35
PID 2780 wrote to memory of 2752	2780	taskeng.exe	35
PID 2780 wrote to memory of 2752	2780	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\aemzzr\ssinitar.exe
  C:\Users\Admin\AppData\Local\Temp\aemzzr\ssinitar.exe -pasdfghij -d"C:\Users\Admin\AppData\Local\Temp\aemzzr\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe "C:\Users\Admin\AppData\Local\Temp\aemzzr\notedll.txt",acMainDos C:\Users\Admin\AppData\Local\Temp\866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c .\danulev1.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2992

C:\Windows\system32\taskeng.exe
taskeng.exe {E557E507-B8EF-49D2-87D7-DD569EF8A081} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\aemzzr\setup.exe
  C:\Users\Admin\AppData\Local\Temp\aemzzr\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aemzzr\notedll.txt

Filesize
829KB

MD5
c541b102f1b7f294296a523febb87a81

SHA1
c2710fda42b2f17579cb95c04406768779981028

SHA256
c26fdf9b19cb9be617dc24d38e94f987ed1cd39ffbebf25e0d924b5bacf42a34

SHA512
592d52f4ccd5acd6da3316dd46b448c76de4549da1be61498032196d7e226c6745490570104991f4a6614b91f23eb9b6b867638053816b74279bbd0b8d9de7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aemzzr\setup.exe

Filesize
601KB

MD5
b449bc2771663eea928734b4c60f009d

SHA1
950a100b8b8e514f06500729a3dd067a41f83b5f

SHA256
6f49ae9ee37bf1ae96940ca24be6789924f197d15ee1c77e716dc08d7e1aa1ab

SHA512
c8d6081da307c56c29a8c420bf76c37bf620305b5b414e5c8a1af841af53174d6ddaa0b2bccd48c0a642800bcc9716445dba967abf0772795ec5cd5d3a50851a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aemzzr\setup.txt

Filesize
601KB

MD5
44d1a3cfd72a3a9600ac9317496495e5

SHA1
c92a31aa30bca4ed972ad2d1cc02449fdf14b9ad

SHA256
e588f2bf80b522d41a215ecb3f7b0f32eac72b823a809f4d0d224a9363760c81

SHA512
bdd631f7f3f183f34bdb155c0e893bf36d8f09b5431aada607bfd033033b6cdf19c77a6eeb08329b944987802666a2d3647a13804abb25b81313a3be26c9132f

Download Submit
C:\Users\Admin\AppData\Local\Temp\danulev1.bat

Filesize
372B

MD5
588d863b125c36e24e654cb57357715a

SHA1
2a2082f925aaf1e8320685da00c4f9a6f3f00e38

SHA256
9e99fe2d8a2ad319dd5b23ce97ba4f82f9341389aae59fab89c5846ef37ec9b9

SHA512
e20d51ff4a8c56bc7ac0cb537cb7e845694e61004121d0e1562d32291234bd8ccfc0f57c8914d2a47044c66f4b1ca927c2f45fbc12bb720bcd379f75db0af69a

Download Submit
\Users\Admin\AppData\Local\Temp\aemzzr\notedll.txt

Filesize
829KB

MD5
4249535810df866cabfaa0de63562d82

SHA1
713309cc07f040f76e260f0021c28de9b226f87f

SHA256
02f0eb50d239c3892244ab357e13885c4e8f3dac6cbfd3221aa58524ecc95ed0

SHA512
d85b6d590278d08ac612d888da057d070117f0c631ff8dbe7567143175efde465c9c75c9ebe99e77179b66c5aa0dfed6f2d3ca411ef040164d20de4d05cbe074

Download Submit
\Users\Admin\AppData\Local\Temp\aemzzr\ssinitar.exe

Filesize
1.5MB

MD5
ad8658adfe0fbde2977e50313554c7a4

SHA1
828b72519eddd61b749e67fbf46bd760441c02d0

SHA256
fcaf7cad12d038fb8ac7582b57933e142ce0e48926303541d8168b64d1f72f5a

SHA512
6e7c5b01f8bbaea8da9684b58fa53cc88bfa5c1788b339628b235bc7884743dda182f0bde116ba4b2613553fb7e083089fa100e51350e7b89bcc5e5f3a2481f3

Download Submit
memory/2200-20-0x0000000000AF0000-0x0000000000BC6000-memory.dmp

Filesize
856KB

Download
memory/2348-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2560-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2560-29-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2752-35-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2752-36-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2752-37-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads