1b6a906de7a1a06b29bced6ef429d66e2bddfde2ad4168be6c567bef6511c51e

General

Target

866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
Size

2.3MB
MD5

866d09aa4300132477edc427dec47ac1
SHA1

270d05cea6777b539c0be0ba769f9cd3785a0fe1
SHA256

1b6a906de7a1a06b29bced6ef429d66e2bddfde2ad4168be6c567bef6511c51e
SHA512

441b8cafdef3c498ef58cf1774e0d24844ad03d7c7503ca3309146c70e0d81a272ef98707a0e4ccad90f3daa1dce7a35a6982e75f7b1fbe61510c6ecd4d5739c
SSDEEP

49152:YKpX2rKFo0aSEHv72DFGY6At2QL9XGHQ+dd:Ye2iWHv72N192H

Score

7^/10

aspackv2 bootkit discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000900000002343b-17.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4236	ssinitar.exe
4716	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1052	Rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssinitar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4716	setup.exe
4716	setup.exe
4716	setup.exe
4716	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4716	setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4236	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	87
PID 4388 wrote to memory of 4236	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	87
PID 4388 wrote to memory of 4236	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	87
PID 4388 wrote to memory of 4716	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	88
PID 4388 wrote to memory of 4716	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	88
PID 4388 wrote to memory of 4716	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	88
PID 4388 wrote to memory of 1052	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	89
PID 4388 wrote to memory of 1052	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	89
PID 4388 wrote to memory of 1052	4388	866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe	89
PID 1052 wrote to memory of 4912	1052	Rundll32.exe	90
PID 1052 wrote to memory of 4912	1052	Rundll32.exe	90
PID 1052 wrote to memory of 4912	1052	Rundll32.exe	90

C:\Users\Admin\AppData\Local\Temp\866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\neznmx\ssinitar.exe
  C:\Users\Admin\AppData\Local\Temp\neznmx\ssinitar.exe -pasdfghij -d"C:\Users\Admin\AppData\Local\Temp\neznmx\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4236
- C:\Users\Admin\AppData\Local\Temp\neznmx\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\neznmx\setup.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4716
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe "C:\Users\Admin\AppData\Local\Temp\neznmx\notedll.txt",acMainDos C:\Users\Admin\AppData\Local\Temp\866d09aa4300132477edc427dec47ac1_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\danulev1.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\danulev1.bat

Filesize
372B

MD5
727d2455a1e19d2f8efd5bf7efa6fe31

SHA1
803d565155e7b4fa5e0012286d7cb33b97e94a50

SHA256
bc82fb2965abc5cb8aae436602763e078c7b9543f57a2ba432e6a046e8f8d54c

SHA512
c6303aaf9f8406ec395d1f2cc93c3356e952a28e810542d2cb3c7deca32e4f6ba7c54436fd84b07aa97a1829e12dd183c89dd8e2fee7097d1312e113f05fd815

Download Submit
C:\Users\Admin\AppData\Local\Temp\neznmx\notedll.txt

Filesize
829KB

MD5
7c81099d34cf33dd40ce276e60cc04e6

SHA1
17d5576c15a4076cd6b4b6462188155cb3a96f98

SHA256
8f2904ab39b1cc1fb703e8ee97ebf27f422e4ec584c28a4ec052a06fbf894b10

SHA512
4a0cd1c3f65188cb68e7c21013958a4b6210c535ba7b66d2d1233a0d0b19a8f36f50b8d061711fcfd164cd393efb38f3e30b437621fb86a9f7186fb4638631a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\neznmx\setup.exe

Filesize
601KB

MD5
b449bc2771663eea928734b4c60f009d

SHA1
950a100b8b8e514f06500729a3dd067a41f83b5f

SHA256
6f49ae9ee37bf1ae96940ca24be6789924f197d15ee1c77e716dc08d7e1aa1ab

SHA512
c8d6081da307c56c29a8c420bf76c37bf620305b5b414e5c8a1af841af53174d6ddaa0b2bccd48c0a642800bcc9716445dba967abf0772795ec5cd5d3a50851a

Download Submit
C:\Users\Admin\AppData\Local\Temp\neznmx\setup.txt

Filesize
601KB

MD5
44d1a3cfd72a3a9600ac9317496495e5

SHA1
c92a31aa30bca4ed972ad2d1cc02449fdf14b9ad

SHA256
e588f2bf80b522d41a215ecb3f7b0f32eac72b823a809f4d0d224a9363760c81

SHA512
bdd631f7f3f183f34bdb155c0e893bf36d8f09b5431aada607bfd033033b6cdf19c77a6eeb08329b944987802666a2d3647a13804abb25b81313a3be26c9132f

Download Submit
C:\Users\Admin\AppData\Local\Temp\neznmx\ssinitar.exe

Filesize
1.5MB

MD5
ad8658adfe0fbde2977e50313554c7a4

SHA1
828b72519eddd61b749e67fbf46bd760441c02d0

SHA256
fcaf7cad12d038fb8ac7582b57933e142ce0e48926303541d8168b64d1f72f5a

SHA512
6e7c5b01f8bbaea8da9684b58fa53cc88bfa5c1788b339628b235bc7884743dda182f0bde116ba4b2613553fb7e083089fa100e51350e7b89bcc5e5f3a2481f3

Download Submit
memory/4236-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4388-25-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4388-0-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4716-23-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4716-26-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/4716-27-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/4716-28-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4716-29-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads