500fad21240309ab52edb2b3d99d5fc68a499572e78137db6174294d6bd603f3

General

Target

b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
Size

10.9MB
MD5

b96663aced96a56f31b8450cffe7f61e
SHA1

496c495742fa2976ddb8dbe209a8dd41962c58a8
SHA256

500fad21240309ab52edb2b3d99d5fc68a499572e78137db6174294d6bd603f3
SHA512

88be4664896ad038651cbe23b7cb1e0335a2cbec0839aec9930117308adc6be9724fb8a9746213ee6431110e3a05127f780572bbc1e52e0422fa81b5ac76df8f
SSDEEP

196608:5d6piqAMlPkS6cxeSUwGbDebMUb/368lgzhgPqMUtznie8Y:jMiqAMlPkS3eHobf68lkgPqM6nie9

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\mytime = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe"	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
828	mytimeinj.exe
1188	Explorer.EXE

Loads dropped DLL 2 IoCs

pid	Process
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
1188	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	mytimeinj.exe
Token: SeShutdownPrivilege	1188	Explorer.EXE
Token: SeShutdownPrivilege	1188	Explorer.EXE
Token: 33	2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
828	mytimeinj.exe
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 828	2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe	29
PID 2296 wrote to memory of 828	2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe	29
PID 2296 wrote to memory of 828	2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe	29
PID 2296 wrote to memory of 828	2296	b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe	29
PID 828 wrote to memory of 1188	828	mytimeinj.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
- C:\Users\Admin\AppData\Local\Temp\b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b96663aced96a56f31b8450cffe7f61e_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\plugins\mytimeinj.exe
    "C:\Users\Admin\AppData\Local\Temp\plugins\mytimeinj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\config\mytime\mytimeset.cfg

Filesize
1KB

MD5
1525689e3b09c96578b36b0aa276d7ad

SHA1
0f22ef83c6f00e4aed6081ee78e3bffbe34c57d2

SHA256
f59dbf33d838893c68471391c53359958fb2de883ebc42f747d6bfcd4e104bfd

SHA512
f8cc98eb65c9eab1b37634f3741576a46c0254388fc5cae900c756708e3822dfe0ce939548576d2d6fc7caaa7ad4f446e52396d4e44f227ff56a29f3edbc0f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\mytime\mytimeset.cfg

Filesize
1KB

MD5
0e0aad725326d02ae1478243f10d11da

SHA1
bb91899827c62c1ef3331ead1c655b5295c1ce10

SHA256
97639a59baa30e57c3b1b0370b7c6c475e76b43c9254ecc3839a87730b6023dd

SHA512
52e6f87200b0775f88e68c7a600b24955e8e9294e0d72e8651f1ab620bb7d6f299e6c9b3148c5d6b8917bd80821fbf7c0e1aec5cd6d5c4a050d1ee0f0edadd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\mytime\mytimeset.cfg

Filesize
1KB

MD5
051c381084973343fc4d6a7c406d8e21

SHA1
1e38cd479a39fd38b163b2208cb276411ed07682

SHA256
d570b5e0e4cb0410fb5c87447087817dc41e568b76f95392b9759c3a258982d4

SHA512
f6a25d944bdcc58b4892884774563287c5d2fab367ce25aa2d049650c2d2d53867ef8dd59586d515b5841f0ddc527facc5f0f0d3e83df6647c642212d073e180

Download Submit
\Users\Admin\AppData\Local\Temp\plugins\mytime.dll

Filesize
311KB

MD5
162218b9b12e7285b9682b971ed473d1

SHA1
14932f6595991a5f6b0be09f037078210d90b80b

SHA256
fdbeca164d3b73eaba269fefd0de45756e642242ed9d6f2748a389fbb19e4665

SHA512
de9caa2de89f52d1f6853ddfe4b9ec5904f46efa9adb7a4a9116215d4e023e0dbad584fcf2e733857ff3f729835869f2711df664f67cc4fabfd3c82aa9ab81cf

Download Submit
\Users\Admin\AppData\Local\Temp\plugins\mytimeinj.exe

Filesize
106KB

MD5
e60e99e0f474ba132a27f873a6188f5d

SHA1
edb219d0a273d34f4c8be28d1743ef600ba29b15

SHA256
4c50b9b3c032740ae2995efb4b37487f2a781633f70af1d15fbf13dbac6d1f39

SHA512
e3dc2e6e5e49e402d763ccbcfe91445e4b66a6847f995aba4d7ef94e029349a71dabcf9dc51af37fa764cc42a8296627ef6f20fa9db1021c1be602debc632310

Download Submit
memory/828-129-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1188-130-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads