213b26ae2636e5fdfebcae7723fab4d523de2406155e198f299eb8edbfe58581

Reason

Machine shutdown

General

Target

d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
Size

477KB
MD5

d3fa291174e309fa1ea320dc1c642d12
SHA1

6d499b7238e802949a3ebda53721d3ae41a68794
SHA256

213b26ae2636e5fdfebcae7723fab4d523de2406155e198f299eb8edbfe58581
SHA512

5b800301578a975635cd374b7d2fc89e887ff856291c3512e7c7e8536e0dafe65ee6293192b4cc9a5ed50de96b277f9de73c16e69d815f9d0b561357b1acd7e4
SSDEEP

12288:FsvU983wtVMtIaMjY6r+kRkBb63vd1Mp8upU5ks4FW:FF2wsOt+w2Y1Mp8ul4

Score

7^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3368	T3K9ZAW7.exe
3104	wot.exe
2004	xot.exe

Loads dropped DLL 1 IoCs

pid	Process
3288	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iyivaxacumirux = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Mapsvet.dll\",Startup"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	wot.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T3K9ZAW7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xot.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3368	T3K9ZAW7.exe
3368	T3K9ZAW7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3104	wot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3368	T3K9ZAW7.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3368	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	83
PID 2400 wrote to memory of 3368	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	83
PID 2400 wrote to memory of 3368	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	83
PID 2400 wrote to memory of 3104	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	84
PID 2400 wrote to memory of 3104	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	84
PID 2400 wrote to memory of 3104	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	84
PID 2400 wrote to memory of 2004	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	85
PID 2400 wrote to memory of 2004	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	85
PID 2400 wrote to memory of 2004	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	85
PID 2400 wrote to memory of 1796	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	86
PID 2400 wrote to memory of 1796	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	86
PID 2400 wrote to memory of 1796	2400	d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe	86
PID 2004 wrote to memory of 3288	2004	xot.exe	88
PID 2004 wrote to memory of 3288	2004	xot.exe	88
PID 2004 wrote to memory of 3288	2004	xot.exe	88

C:\Users\Admin\AppData\Local\Temp\d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\T3K9ZAW7.exe
  T3K9ZAW7.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3368
- C:\Users\Admin\wot.exe
  wot.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Users\Admin\xot.exe
  xot.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Mapsvet.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mapsvet.dll

Filesize
103KB

MD5
b830953856e06807f6419663f6d05cc6

SHA1
1985aa83dbcaad52a6098a7bffcd8688f0d203aa

SHA256
ed89baf97368e00ae45aa798fda02ed521557898bd6c9c50b2b98a035dceb81e

SHA512
6553f322de9e87e3bff14a08c500b69aa2ce3a0946e25bf9464c7d7dca22d96ef2da2fe00ed86e2d687a9f8f4345ab5189130a7c95606275df19d2f9169b354b

Download Submit
C:\Users\Admin\T3K9ZAW7.exe

Filesize
140KB

MD5
13af4de26b3ee9d02e8dd721f6b81fe9

SHA1
6036d52a71cc9a5f176db6d40cdea0e8d1b023ce

SHA256
10301813c139bbb2f2cbc5a47a8b78989c37cf56bfcdf8cbb2fd324057a799e3

SHA512
05c69348ac57578fdf81c035350ee6856ee17a72c1c1359013d5ec50430804c781753eb995870262157ba557c102285a4b012c2e53a73971213d9fdb269faa66

Download Submit
C:\Users\Admin\wot.exe

Filesize
175KB

MD5
c9b7e9a83250faf3135bb70343030c16

SHA1
f738cf9018d564ec802b684e38b54ecdf0a679f6

SHA256
26d3130abf8d1f0d234e7be1f28de877d7ae871ec96f179f9d49d8156c20c1ea

SHA512
2c574af59c9131a2917024f644176ca6311e6433be53d9602e4db873d01da16f9e1f4dc7952b9b667a4f8fac346037e30d5337db5cd895c13b51635c44a024c4

Download Submit
C:\Users\Admin\xot.exe

Filesize
103KB

MD5
b47a4d45ef404a997dcd2f98fe4a1420

SHA1
e55a876e4098a705be35e1a9c78c65a97ae5f27d

SHA256
9863f46ae1d3e2f835b713e2fb32c831e27941b4cdbb11663780e2101df6289b

SHA512
1f83decef10da3e7537dde84cebfd4ec2ca7dab05e3fb72237ad2d627f544d493d501822bf0927bc3cc061442cbe779cf054b87da1decc77a3b9eb6fa07ebd20

Download Submit
C:\deemuux.exe

Filesize
140KB

MD5
b4cd022fb4dcacabce4b6d511093e595

SHA1
9802aa55b5fc519a718700673b8164513826c24c

SHA256
2c8b5e3bc4a629044564424e158df953db646f79610d9d14e8bebffefe2f763f

SHA512
f6261496c6608aa1f7dd88e6a7e50621a62f23c336048f8f08f46b3e9a624d0600a78bd906c2c3b69baeddc0c2db335f2ad8dee4ee5fd5ce6624a1ab13e586da

Download Submit
memory/2004-30-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2004-16-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2004-20-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2004-19-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/3104-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3104-17-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3104-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3104-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3104-12-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3288-29-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/3288-28-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/3288-27-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads