1d62306be6c8135fb2a32848d122714be79fa77fe8c35c2eff0094d6b4fcb07c

General

Target

c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
Size

1.0MB
MD5

c255d1a0cac5190a5b67802029ebe315
SHA1

aeb510353727d3e0daef86f43b922dc27961022f
SHA256

1d62306be6c8135fb2a32848d122714be79fa77fe8c35c2eff0094d6b4fcb07c
SHA512

1d7d3269c34c1e76401f001ef6d7313566456b09206d77b4a42d9822128cf72dafc9ad582912198dbdece8b1a7b2fddf7265e7235d76c45331b75d3540b5ae3b
SSDEEP

24576:qG6C96ttrMkrvVDIW96fE3QlzKQh7tzl31CeVnfV:yCeukrB/Afyk5xlrt

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1544-0-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/1544-37-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
1544	c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c255d1a0cac5190a5b67802029ebe315_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XFJBYZGJ\ExtMenu.fnr

Filesize
188KB

MD5
d349db91d4dad08a06b4654376e3a5e4

SHA1
9132ad92f4ef7ba0dc61a5be182ba32a787d5c98

SHA256
c3bcfb6c7529d870ba160f8661e4ce1053205e374a2db9b84feda32b094248dc

SHA512
ccb4bfb9ced0cf9193ea1b56cdfd5a47e4e18c3198c2de15fc288bd3a5aeadbd0e6bd7a5349cbba1574596dd306fe17a5f9583c6ff099c3f62b21215e652d9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFJBYZGJ\eAPI.fne

Filesize
328KB

MD5
d0e0d53a970aaa7068bdb41a6b8a7c5a

SHA1
b4fde4e2b7924e1fd76c094a5a7244d1fd351700

SHA256
6898d235f653db69a96a614259a6512db1a89b638d3c00dfaa72339595d3bdfe

SHA512
f4dfd2e64f0505861286fe71cf272119518b1e0b18e4ea3095d62c616fcd6d6dff953218fff8da6d42343303d56a9eee815f0ba3ab16c6514e1fe19fdb8c7660

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFJBYZGJ\iext.fnr

Filesize
216KB

MD5
cba933625bfa502fc4a1d9f34e1e4473

SHA1
5319194388c0e53321f99f1541b97af191999a09

SHA256
25549c7781b3f1b92e73b0ea721d177207cce914a66f3229a71291f2eb160013

SHA512
f5fb4b97c4f68a20e0847e6528740ce659c4501726f3b2dff1ac83e88a3b7198099da03edb0f069cd4af7ed568a2373597b235cd239895addfa5226d3a444142

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFJBYZGJ\iext3.fne

Filesize
368KB

MD5
ed760350798b43e32a7a580680cdbcd1

SHA1
a1f7913a326a980416e8ac1404a68b7dfd3869eb

SHA256
26e0581fc0fe2f51fb1730917538cee9af587a3e156b0e8dcd050b15dccba863

SHA512
a24c11453678a1dd4e6521b3ebbac8b01a00458c329239bd3519e84a97cad4963070d715eeba610392eb793486fdc7bea5d073c084eac4aae6da00073aca7841

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFJBYZGJ\krnln.fnr

Filesize
1.1MB

MD5
3fe72f93ab5f24a0ea2d753013a41c4b

SHA1
9206cd206c0b2782a2b1ad1d19ace97bae6e491e

SHA256
db32e8ea1d91009ca25b79d7e863a08be56632641a7a145326fbfbf0931b6c79

SHA512
24ce75304e6b5508d9bbf425a68b1907bc51f30c168dd3b800f34e1f7fc1aee044818848d1fde40e7556af5f16f94ea02d19344bd9ffda1a6d011a624d6f46e9

Download Submit
memory/1544-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1544-12-0x00000000027C0000-0x000000000282C000-memory.dmp

Filesize
432KB

Download
memory/1544-20-0x00000000028E0000-0x0000000002924000-memory.dmp

Filesize
272KB

Download
memory/1544-26-0x0000000002A60000-0x0000000002A9F000-memory.dmp

Filesize
252KB

Download
memory/1544-33-0x0000000002AD0000-0x0000000002B31000-memory.dmp

Filesize
388KB

Download
memory/1544-37-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads