213b26ae2636e5fdfebcae7723fab4d523de2406155e198f299eb8edbfe58581

General

Target

d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
Size

477KB
MD5

d3fa291174e309fa1ea320dc1c642d12
SHA1

6d499b7238e802949a3ebda53721d3ae41a68794
SHA256

213b26ae2636e5fdfebcae7723fab4d523de2406155e198f299eb8edbfe58581
SHA512

5b800301578a975635cd374b7d2fc89e887ff856291c3512e7c7e8536e0dafe65ee6293192b4cc9a5ed50de96b277f9de73c16e69d815f9d0b561357b1acd7e4
SSDEEP

12288:FsvU983wtVMtIaMjY6r+kRkBb63vd1Mp8upU5ks4FW:FF2wsOt+w2Y1Mp8ul4

Score

7^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2764	T3K9ZAW7.exe
2680	wot.exe
2068	xot.exe

Loads dropped DLL 10 IoCs

pid	Process
2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
2348	rundll32.exe
2348	rundll32.exe
2348	rundll32.exe
2348	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jhozajele = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mspror.dll\",Startup"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	wot.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T3K9ZAW7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	T3K9ZAW7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2680	wot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	T3K9ZAW7.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2764	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2764	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2764	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2764	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2680	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2680	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2680	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2680	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2068	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2068	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2068	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2068	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2568	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	33
PID 2260 wrote to memory of 2568	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	33
PID 2260 wrote to memory of 2568	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	33
PID 2260 wrote to memory of 2568	2260	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	33
PID 2068 wrote to memory of 2348	2068	xot.exe	34
PID 2068 wrote to memory of 2348	2068	xot.exe	34
PID 2068 wrote to memory of 2348	2068	xot.exe	34
PID 2068 wrote to memory of 2348	2068	xot.exe	34
PID 2068 wrote to memory of 2348	2068	xot.exe	34
PID 2068 wrote to memory of 2348	2068	xot.exe	34
PID 2068 wrote to memory of 2348	2068	xot.exe	34

C:\Users\Admin\AppData\Local\Temp\d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\T3K9ZAW7.exe
  T3K9ZAW7.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Users\Admin\wot.exe
  wot.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Users\Admin\xot.exe
  xot.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mspror.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mspror.dll

Filesize
103KB

MD5
b830953856e06807f6419663f6d05cc6

SHA1
1985aa83dbcaad52a6098a7bffcd8688f0d203aa

SHA256
ed89baf97368e00ae45aa798fda02ed521557898bd6c9c50b2b98a035dceb81e

SHA512
6553f322de9e87e3bff14a08c500b69aa2ce3a0946e25bf9464c7d7dca22d96ef2da2fe00ed86e2d687a9f8f4345ab5189130a7c95606275df19d2f9169b354b

Download Submit
C:\Users\Admin\T3K9ZAW7.exe

Filesize
140KB

MD5
13af4de26b3ee9d02e8dd721f6b81fe9

SHA1
6036d52a71cc9a5f176db6d40cdea0e8d1b023ce

SHA256
10301813c139bbb2f2cbc5a47a8b78989c37cf56bfcdf8cbb2fd324057a799e3

SHA512
05c69348ac57578fdf81c035350ee6856ee17a72c1c1359013d5ec50430804c781753eb995870262157ba557c102285a4b012c2e53a73971213d9fdb269faa66

Download Submit
C:\Users\Admin\xot.exe

Filesize
103KB

MD5
b47a4d45ef404a997dcd2f98fe4a1420

SHA1
e55a876e4098a705be35e1a9c78c65a97ae5f27d

SHA256
9863f46ae1d3e2f835b713e2fb32c831e27941b4cdbb11663780e2101df6289b

SHA512
1f83decef10da3e7537dde84cebfd4ec2ca7dab05e3fb72237ad2d627f544d493d501822bf0927bc3cc061442cbe779cf054b87da1decc77a3b9eb6fa07ebd20

Download Submit
\Users\Admin\wot.exe

Filesize
175KB

MD5
c9b7e9a83250faf3135bb70343030c16

SHA1
f738cf9018d564ec802b684e38b54ecdf0a679f6

SHA256
26d3130abf8d1f0d234e7be1f28de877d7ae871ec96f179f9d49d8156c20c1ea

SHA512
2c574af59c9131a2917024f644176ca6311e6433be53d9602e4db873d01da16f9e1f4dc7952b9b667a4f8fac346037e30d5337db5cd895c13b51635c44a024c4

Download Submit
memory/2068-44-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2068-36-0x0000000000600000-0x0000000000640000-memory.dmp

Filesize
256KB

Download
memory/2068-32-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2068-37-0x0000000000600000-0x0000000000640000-memory.dmp

Filesize
256KB

Download
memory/2260-20-0x0000000000330000-0x0000000000387000-memory.dmp

Filesize
348KB

Download
memory/2260-19-0x0000000000330000-0x0000000000387000-memory.dmp

Filesize
348KB

Download
memory/2348-54-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2348-52-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2348-51-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2680-38-0x0000000000330000-0x0000000000387000-memory.dmp

Filesize
348KB

Download
memory/2680-45-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-39-0x0000000000333000-0x0000000000334000-memory.dmp

Filesize
4KB

Download
memory/2680-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-28-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-29-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2680-30-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads