cee49c7628f69b6964cda64c69b4ac2c1817b40fa9ee3cf4018fb11a5be25118

General

Target

df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
Size

917KB
MD5

df87fcc8efdd14966aef8ca2b9327b0e
SHA1

6d0531efa40d9aeac218195e98050a07fa86c692
SHA256

cee49c7628f69b6964cda64c69b4ac2c1817b40fa9ee3cf4018fb11a5be25118
SHA512

3a8526391d8030fa7508afd43d047702af44cd1eefed5a4fb177c67df14fdd59e1d97c872e67f6b80dac84d4d6c807afa2e685ed4a3434c1fc550bf4c5eecc2e
SSDEEP

24576:OIa7MvMoIcea/ynZ63sqqggZhefKsZKnOIB:Og0Ge2EGZKnfB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/2180-24-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/files/0x0006000000019397-26.dat	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\Ð¡ÓÎÏ·.ico	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RtkSYUdp.exe	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe

Runs regedit.exe 2 IoCs

pid	Process
2692	regedit.exe
2360	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2692	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2692	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2692	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2692	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2360	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2360	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2360	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2360	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2316	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2316	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2316	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2316	2180	df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe	33
PID 2316 wrote to memory of 1776	2316	cmd.exe	35
PID 2316 wrote to memory of 1776	2316	cmd.exe	35
PID 2316 wrote to memory of 1776	2316	cmd.exe	35
PID 2316 wrote to memory of 1776	2316	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df87fcc8efdd14966aef8ca2b9327b0e_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Runs regedit.exe
  PID:2692
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\$10943.tmp
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs regedit.exe
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
629B

MD5
c3d397a0349833e4b04cc8ef028a6095

SHA1
9c739fcb35118ca24eeb9302a4826d8f55dd66c6

SHA256
17ca51859e4a9ec64a8f0df9658ef1d291d23b2822dab9c1aaed26ed7ee646f8

SHA512
0d14bd69d28b4e58ab0d88bfdeffa3db480ba773c83ec27b086bd8ce2323b90587797d5e413ef4c647bb60d88ddb6b68296f95aa18ebea022022e570a36dfdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10656.tmp

Filesize
1KB

MD5
f9ce5c8a3059991babf4084151caa492

SHA1
26567f89a885b0e69f24309c3e5c58e8e938f841

SHA256
e82c214f33cad1b25146758e22fd887b15f63b1a7a8d716b358c50dc5c3d4e96

SHA512
cce48827588aa5968453a8a69baeab8435083dca1d625d079b01d4f9292c7bcb85ab1217f1cf96ea301eef49b7a96a76b58413d4496f1c35e234df7c7e5c9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

Filesize
142B

MD5
1722b85f05faa97e09cc1d98002d0711

SHA1
0a2ec5d60f6c8af838fc004e8fbb0b436437887f

SHA256
2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21

SHA512
40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/2180-0-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2180-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2180-24-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads