d0d1ff0a048a2179399574aff2ca95d612676177c27f469296dacc95d2287f45

Reason

Machine shutdown

General

Target

ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe
Size

582KB
MD5

ac47a1c79a27e4493f452870cff3b45f
SHA1

55d303fb1d21ce3a9b0eeeab5c4c840b77fd3513
SHA256

d0d1ff0a048a2179399574aff2ca95d612676177c27f469296dacc95d2287f45
SHA512

e5810bad5c11f844a129f3aa7cb5dfb4e0dd08ec0708582e26fab5375b0e93262c806ef29fc1477c56f6444f7ae2476b125f8611caad3bbd19ec00ede1639353
SSDEEP

12288:EODa7BlXNDRghT9yTvu9RrxsAXNYMJJRqahfOz:Du3XtRSyTvu9IA9VJzT8

Score

8^/10

bootkit discovery evasion persistence trojan upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baiyqw = "C:\\Windows\\SysWOW64\\WMASFS.exe"	sot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sot.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	WMASFS.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sot.exe

Executes dropped EXE 4 IoCs

pid	Process
5060	qxFSVWOcegcPUPu1.exe
4336	rot.exe
1660	sot.exe
636	WMASFS.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1660-24-0x0000000000520000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/1660-20-0x0000000000520000-0x00000000005B2000-memory.dmp	upx
behavioral2/memory/1660-23-0x0000000000520000-0x00000000005B2000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sot.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	rot.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WMASFS.exe	sot.exe
File opened for modification	C:\Windows\SysWOW64\WMASFS.exe	sot.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMASFS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxFSVWOcegcPUPu1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rot.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1660	sot.exe
1660	sot.exe
1660	sot.exe
1660	sot.exe
5060	qxFSVWOcegcPUPu1.exe
5060	qxFSVWOcegcPUPu1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	sot.exe
Token: SeShutdownPrivilege	4336	rot.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5060	qxFSVWOcegcPUPu1.exe
636	WMASFS.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 5060	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	84
PID 4524 wrote to memory of 5060	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	84
PID 4524 wrote to memory of 5060	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	84
PID 4524 wrote to memory of 4336	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	85
PID 4524 wrote to memory of 4336	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	85
PID 4524 wrote to memory of 4336	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	85
PID 4524 wrote to memory of 1660	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	86
PID 4524 wrote to memory of 1660	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	86
PID 4524 wrote to memory of 1660	4524	ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe	86
PID 1660 wrote to memory of 636	1660	sot.exe	88
PID 1660 wrote to memory of 636	1660	sot.exe	88
PID 1660 wrote to memory of 636	1660	sot.exe	88

C:\Users\Admin\AppData\Local\Temp\ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac47a1c79a27e4493f452870cff3b45f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\qxFSVWOcegcPUPu1.exe
  qxFSVWOcegcPUPu1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5060
- C:\Users\Admin\rot.exe
  rot.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Users\Admin\sot.exe
  sot.exe
  2⤵
  - Adds policy Run key to start application
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\WMASFS.exe
    C:\Windows\SysWOW64\WMASFS.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins5468.bat "C:\Users\Admin\sot.exe"
    3⤵
    PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\meuki.exe

Filesize
160KB

MD5
4364d9e86d29af5bda802f6f5f465168

SHA1
f3574f93a6f9c33cf0106d4d24cb6ffa44ed1d8d

SHA256
3a2f3bbfce3883ddda1dd41e2be04688578486f1dcdf1d3538a79f1e84e2cee8

SHA512
791ba37806f2522ad7abc6f30e17d2dcf39665538ae2c0d3179788828aeb6b60f272ec9a78c15980e0fc40bffadf920c14194dc02f92e63e716a0e17c939f6c2

Download Submit
C:\Users\Admin\qxFSVWOcegcPUPu1.exe

Filesize
160KB

MD5
abb3650e99144a737aab6829d228c7cd

SHA1
5bba0901dd158ebc700419c9b8aa135561e44b06

SHA256
a21362c6e6f020162c5122dbf3155856c19322530fc409e19033710c75806623

SHA512
5285a8a7ecf05781af95ab8793b81e91a1a0195b1fb5ec6aa39d2cd25119acedc89e787638c7ece799e286cede12bc1e7c30827f315fc76a009a04778596b89f

Download Submit
C:\Users\Admin\rot.exe

Filesize
228KB

MD5
8258e740c3a26617a8f4ca416f80dfdf

SHA1
a6f00e7fd39da24516d87ff62b5698e7b3647698

SHA256
084a552233390bc5e4aed9dd669e8732c09569db88d73709132298d926182f8c

SHA512
7dcd7dcf1d4253d11b3b9bc5a43486e6322716fdd31e76791a88f7aab41cde01d408db0a0b2dc1041f7458e91b6da4ace48baa411324aa716aee48f4395d7438

Download Submit
C:\Users\Admin\sot.exe

Filesize
253KB

MD5
3479c7b86a5a0b15e31449522cc224ad

SHA1
9d43e946d536bab55aa572daab2c0e1b5f3dfe56

SHA256
cc4871ecab10b369820db88615b1e0de659afd9a5330f311af29b19965930bd4

SHA512
f2e520a22d731406a3de7b2dc8bb23d8e95428a6ba242d4853d0e62f4e0531d1eafa43b6ff971c44f14720a1177e0e68d010205bb2551e80e54bbcee09352e42

Download Submit
C:\Windows\SysWOW64\WMASFS.exe

Filesize
76KB

MD5
404a3e5ef113cade2dff8523f87243ab

SHA1
7a1004080ebe382f021d5809c46f34b99dc806f0

SHA256
3f2add54b4a36147acf9909ab63573137088fd042b582284c73e52d6a11b2b2b

SHA512
895c34e701d0fbd1aaddf26eab85d56bfd254a3dcc740ac44aff8c6853dbe2c0ad845abe2bd471305868f6740d762b89c7c9d2c3b403a60dd4cb809cf7ad3ef5

Download Submit
memory/1660-24-0x0000000000520000-0x00000000005B2000-memory.dmp

Filesize
584KB

Download
memory/1660-20-0x0000000000520000-0x00000000005B2000-memory.dmp

Filesize
584KB

Download
memory/1660-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-23-0x0000000000520000-0x00000000005B2000-memory.dmp

Filesize
584KB

Download
memory/1660-15-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/4336-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4336-26-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4336-27-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4336-17-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads