f8c1c23ace9dbcc7aec6e9fe47c2dd39ceea452af5d9ba1086e85ad31e93a8c0

General

Target

b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe
Size

154KB
MD5

b57f7afafc40fd8ee8a0312eea4382cd
SHA1

8ab00b5eb8607c7a04ddc881b2731728ca6a7167
SHA256

f8c1c23ace9dbcc7aec6e9fe47c2dd39ceea452af5d9ba1086e85ad31e93a8c0
SHA512

1a0c073d0d252302b6ec619f14f25fcf1f470854242c4c25eb9683aec8909f8e481b26df0a4d2f8148dbfba637515c78daa2a2e952dd39e60b1b1e68f34d35f2
SSDEEP

3072:3+hOPTdZ/ljsHm/svxTuhaCSzaCx0MDi7sfvyEFQimi5WEpk:3QKTdnsvx6SOe0MD4sfvyyBcgk

Score

7^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5004	avp.exe
2400	avp.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe
1800	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hvsound2.dll	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delplme.bat	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 2400	5004	avp.exe	90

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1800	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1800	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 2400	5004	avp.exe	90
PID 5004 wrote to memory of 2400	5004	avp.exe	90
PID 5004 wrote to memory of 2400	5004	avp.exe	90
PID 5004 wrote to memory of 2400	5004	avp.exe	90
PID 5004 wrote to memory of 2400	5004	avp.exe	90
PID 1800 wrote to memory of 2160	1800	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe	91
PID 1800 wrote to memory of 2160	1800	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe	91
PID 1800 wrote to memory of 2160	1800	b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b57f7afafc40fd8ee8a0312eea4382cd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c delplme.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\avp.exe
  C:\Windows\avp.exe
  2⤵
  - Executes dropped EXE
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delplme.bat

Filesize
306B

MD5
474efed1b518fc6ec40bd02e4488786e

SHA1
78f82a17d6891dc48907b4d05887302f47c451ee

SHA256
1babdf62dfd456af216c0552494524b66baff0a0efecb0d607ed7ea42fcedacd

SHA512
68d33b67db3c4b537078a81fbe7aecf86b338abc3ed25f12169807feb206efcf678efc327d91696cfc8aaf29b9a7ed8273743f894e2881abe177443bb6c8eb8a

Download Submit
C:\Windows\SysWOW64\hvsound2.dll

Filesize
233KB

MD5
3c56d6f42f5a53e0a6b632390ed93c32

SHA1
5717b0a6690b5416ab0c658135be8f0b0c3965e5

SHA256
94dbf1c71769616f7fb78b10f8a781b93b6206b800096a22da868945dfb13339

SHA512
4572a6d897dd20c3046574da782a3c458187d198e79c52ea91b3c11631cc3ffd38ae80e8d9a7c18e0b9c4f301f9935d48415e72a7799ad4979bd011817d4f537

Download Submit
C:\Windows\avp.exe

Filesize
21KB

MD5
d96771acf8211756a9c1ea512575c79a

SHA1
4220273f68f65061abf8e1ac87f35364fa984c6c

SHA256
d36d9c6b553e95820dde6a45f93ce0a186f77123b6c76fd5a2a6fb260ccc0fe5

SHA512
3a631a72c0310fea6199aad6d9b726581afacbb6e1c1cdd87ae9825ab81de73806d7a9d56f22709f3830a2cbdd5a7afd7a9333373bfe4a07db2077326bd35b4b

Download Submit
memory/1800-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1800-1-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1800-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1800-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1800-17-0x0000000002A50000-0x0000000002A96000-memory.dmp

Filesize
280KB

Download
memory/2400-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5004-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/5004-7-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/5004-5-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads