9e881875f6eac6184b4aa38eb1c7a0215174bd74001fa71a5d394023ad37fb56

General

Target

de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe
Size

469KB
MD5

de381437a4e257e75836699d38c45ee3
SHA1

8c4f2c29ebfb63cb338e98a5898125afcfc3f804
SHA256

9e881875f6eac6184b4aa38eb1c7a0215174bd74001fa71a5d394023ad37fb56
SHA512

21e1f7b094cb3b22e96fea891c338e328ca608d86ae703c7a43130aa1f0fa607a5a79d962a4c82b7fcfa308b57eba6cc50d12404fce46a46540b480b1e9cec50
SSDEEP

12288:8VoBOICXD/vDlctPl/SzYE1f7RFeMjrJLpZ:8COIIDz6tN/yYGRYMpL/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1144	asdfasdf.exe
2492	EntSver.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe
1620	de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	asdfasdf.exe
File opened for modification	\??\PhysicalDrive0	EntSver.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\EntSver.exe	asdfasdf.exe
File opened for modification	C:\Windows\EntSver.exe	asdfasdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asdfasdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EntSver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	asdfasdf.exe
Token: SeDebugPrivilege	2492	EntSver.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2560	DllHost.exe
2492	EntSver.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1144	1620	de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe	30
PID 1620 wrote to memory of 1144	1620	de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe	30
PID 1620 wrote to memory of 1144	1620	de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe	30
PID 1620 wrote to memory of 1144	1620	de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2672	2492	EntSver.exe	33
PID 2492 wrote to memory of 2672	2492	EntSver.exe	33
PID 2492 wrote to memory of 2672	2492	EntSver.exe	33
PID 2492 wrote to memory of 2672	2492	EntSver.exe	33

C:\Users\Admin\AppData\Local\Temp\de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de381437a4e257e75836699d38c45ee3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\asdfasdf.exe
  "C:\Users\Admin\AppData\Local\Temp\asdfasdf.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1144

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2560

C:\Windows\EntSver.exe
C:\Windows\EntSver.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0903.png

Filesize
21KB

MD5
8721fe4640cc3725947e67d74a81217d

SHA1
f5190a1122adc944ca65ec6d7fa2bba864a75b1b

SHA256
130736483f4e6c281c04977e6df7723c061fed078df329bc965d9f3a7075f871

SHA512
91298154528e0fe6c1cb8f9fd3e1053530580e554b0fe2433f9929b039b62192d4e2ff55de81915a278a1dcf883368504853d04e457672c93780cd27cfa0a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\asdfasdf.exe

Filesize
512KB

MD5
d31317f4526701f7c47ffbc64172206a

SHA1
29696930495889d0c4b88866ca24429937df2fbc

SHA256
d0caa3f287feaf175b1da9dc4c4bc89ec241a7867904214fe87627288b35d307

SHA512
c406f6c522f9867300233a31e97ff62a0721e4aef80e42d0c9019950b3c46b7568613e9ae7ee415e1b29eb6632474200bee87762d855f891c9a03e75b084e059

Download Submit
memory/1144-26-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1144-15-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/1144-14-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1144-27-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/1620-21-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/1620-19-0x0000000000920000-0x0000000000922000-memory.dmp

Filesize
8KB

Download
memory/1620-2-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/1620-0-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/1620-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1620-13-0x0000000002E60000-0x0000000002F54000-memory.dmp

Filesize
976KB

Download
memory/2492-24-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2492-29-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2492-30-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2492-34-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2560-20-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads