a3ee1c61441d3c1a013628e633d089ebab2085782db8099565d72c4e8565aa89

General

Target

a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
Size

943KB
MD5

a826db1cd27f3e45e20342883e85cee8
SHA1

85821beae33b84e3917e7f85c27738cce25b6911
SHA256

a3ee1c61441d3c1a013628e633d089ebab2085782db8099565d72c4e8565aa89
SHA512

eefcf2d7efa53fc971eeefaedb2c1f9a2ada8ed0f5c328806fb105954a8b1fc55a9e39c8daaf857b72852e75ef9a5835c64724cabb944707ab8e40613dce4b8a
SSDEEP

24576:eadY/TEdVYkEp3W8AD/Dhd+y4lqJ8QdCYDoDN4H1GAR11F:ezTEdesvD/DX+y4onCYDoDaD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
3012	a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a826db1cd27f3e45e20342883e85cee8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_4\HtmlView.fne

Filesize
224KB

MD5
5119e853bf543fa2ef978d758cfb0819

SHA1
13541a62b63d019381a0e15b944c9843e88dc5cb

SHA256
8640b2a172680cd62a73baee98eed73de8059a21a5fc21e398bf81a8ab31eaaa

SHA512
ae8f9be5ae53af0594f48c119937ce8482bb3fdc4fb48a1fb6fcd9d8896acbc9a4eafe4ba0e02059953160665b8de767483b06e15703b97cf82fb52dbebc2799

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
memory/3012-13-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3012-11-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3012-22-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/3012-21-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/3012-20-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3012-19-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/3012-18-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/3012-17-0x0000000001D80000-0x0000000001D85000-memory.dmp

Filesize
20KB

Download
memory/3012-16-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/3012-15-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3012-14-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3012-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3012-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3012-23-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/3012-10-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/3012-9-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/3012-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3012-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3012-6-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3012-24-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/3012-29-0x0000000001FE0000-0x000000000201B000-memory.dmp

Filesize
236KB

Download
memory/3012-25-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x0000000001C10000-0x0000000001C53000-memory.dmp

Filesize
268KB

Download
memory/3012-33-0x0000000002A40000-0x0000000002A54000-memory.dmp

Filesize
80KB

Download
memory/3012-37-0x0000000001C10000-0x0000000001C53000-memory.dmp

Filesize
268KB

Download
memory/3012-36-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads