7fdaabb625a6180627b307a4f8d533c2eeceef480157c7067849cf20b09fddea

General

Target

becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Size

2.0MB
MD5

becbe4f5100b858411dcb51e5719529d
SHA1

553c284d440a34fda1cc3772c98639267002c7a4
SHA256

7fdaabb625a6180627b307a4f8d533c2eeceef480157c7067849cf20b09fddea
SHA512

93c6d25789b7c9d26e5a191569d88cefe5c02f868a6088c2d1ec6d8ddd0643372ab25affaecfa6dc5406addf228d858d92fccbf5f487d2e03d312284423fe679
SSDEEP

49152:LV9yIArXjY4LjAs/p98gieBhDiY6Vt9TRAia2H1:n2jDLn/p8CwXVSia2V

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AeroAdmin	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1448	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
2076	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2076	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
2076	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2076	1448	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe	31
PID 1448 wrote to memory of 2076	1448	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe	31
PID 1448 wrote to memory of 2076	1448	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe	31
PID 1448 wrote to memory of 2076	1448	becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2136

C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe" s -sid 1
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe a
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AeroAdminLog.txt

Filesize
68B

MD5
aaa954b723eb50223afa71436daf15ed

SHA1
838b1ab1aaf2ddf736bd639f75d683fbe99c7f30

SHA256
bc49dda35b98b68f76de02d357ad0486fffd5609f7c2c8b1af318df2da688e5e

SHA512
825de193ddec9c1c483bd4789a22a3fdf192d16161b3a3b5ee2c30b08b4468a50395ab126ee05fd664bdcf9ea0c3f152015687e56b274079865c2c1af94e12b6

Download Submit
C:\AeroAdminLog.txt

Filesize
114B

MD5
5e69a737174f60d0e30e154675974ac8

SHA1
2a67a203e2e7e9a25288c23d46fdd686b7f8d551

SHA256
af31d9f01458c40e1a75be01529abcf236cc7fd1783af98afc32125a131c66eb

SHA512
fe97e9724e8ed9aba112ec5ca7b444e0fb8ca5f329a63b4e57964099c367db8d1c6b192685441118e9da210cd9fde37412ceaafe1a8f776948cbc479c7b9b814

Download Submit
C:\ProgramData\Aeroadmin\config

Filesize
657B

MD5
dc1de55ff9a76ee24f6cdbe2d28d8a37

SHA1
d044cc6a20e71c39d779a8890b2da1a26a769ed1

SHA256
76bf7e29e288d4313c2be083b548b9f6c516dd008c37c46f1a6ce0f4632afc48

SHA512
9eaf117fca45fdbb01345637cf10115fa6516fb04ab3bd2680ebff0e8b8268a2ac8529bba0ca80ca67f280fe4182e602a5693f84a349957bff217ff9edad9808

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads