b1eb7e0621e6a732eb4d6f68dcfc8ae863691850fe550e9fa932457d342d5ef1

General

Target

ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
Size

2.2MB
MD5

ea4be2817857764ac3df9541f9c71b12
SHA1

4b0c9f4e47a72102fca25abdc58b45bd63e68502
SHA256

b1eb7e0621e6a732eb4d6f68dcfc8ae863691850fe550e9fa932457d342d5ef1
SHA512

56795a85db721716dd659fed3c3f13f653cc9bcdc04b7ac9bcc9643441007ea5a852b4b94fb81e55b0354b50e42f66e3cb0ffbbe9e6517d034bd052810c2b650
SSDEEP

49152:o2OOenGxGipXs22a/tgrYJUGfZC3wA6EylfwEaFWM:COenWhXvttLxC3sEwwMM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2972	minidownload.exe
316	SogouSoftware.exe

Loads dropped DLL 9 IoCs

pid	Process
2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
2972	minidownload.exe
2972	minidownload.exe
2972	minidownload.exe
2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
316	SogouSoftware.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SogouSoftware\download\download\id.dat	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\msvcr71.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\crash\ExceptionReport.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\MiniThunderPlatform.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\dl_peer_id.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\download_engine.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\msvcp71.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\zlib1.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\xldl.dll	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\MiniTPFw.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\ThunderFW.exe	minidownload.exe
File created	C:\Program Files (x86)\SogouSoftware\download\download\atl71.dll	minidownload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	minidownload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SogouSoftware.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000120fe-2.dat	nsis_installer_1
behavioral1/files/0x00070000000120fe-2.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2972	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2972	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2972	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2972	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2972	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2972	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2972	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	30
PID 2548 wrote to memory of 316	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	32
PID 2548 wrote to memory of 316	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	32
PID 2548 wrote to memory of 316	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	32
PID 2548 wrote to memory of 316	2548	ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea4be2817857764ac3df9541f9c71b12_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\minidownload.exe
  "C:\Users\Admin\AppData\Local\Temp\minidownload.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe
  "C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe" /Loader /DownLoad?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3Db-5xxbPWjTJoeTuIzmwjONmoKoIYNgdlHOO3Q2c4MvNKh23MthGxACf3PiVhFC4_tT41M0botNsOUo5e4hJ_GEgh3kPARemdMCiEOf3AMsXxoq48ScUzhVAV_3Jtb7DO6D9JdioEH62RKfpxjLabj7frBJYGr9wm%26pcid%3D-6901483559681028076%26w%3D2240%26filename%3Dtv.danmaku.bili.apk%26extra%3D39_myapp%26downloadtype%3Dapp%26stamp%3D20211102&iconurl=https%3A%2F%2Fimg01.sogoucdn.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fpp.myapp.com%2Fma_icon%2F0%2Ficon_73622_1635319263%2F256&softname=%E5%93%94%E5%93%A9%E5%93%94%E5%93%A9%E5%8A%A8%E7%94%BB&softsize=80.3+MB
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SogouSoftware\SogouSoftware.exe

Filesize
232KB

MD5
cf2a0b38db3d7ed2601963960038531a

SHA1
6f276805b6e8f413bbb5122bc79f5411e63fc88c

SHA256
2c0976ed88e9da6117bf52049f915e4ab6c4b67529fbc699d8d19da4099e0f6a

SHA512
9d9d246cc532e0feb6a4ce7562aa75844f79cb3cca261c66b3fea5b57b5324b57089b05825789b43062f8fa2de8e6370785b66c2bc4f1b7e50da1a7edd415c9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
afafa8855d806fe62a7d16a639bc62e8

SHA1
d03f2f055220f3f2e6ce9648c7e9296179a72cf9

SHA256
2d3fe115167d7f7ac327e6fd654ec80f0d3f2c53c3e188aac233ab5a05bf061e

SHA512
9a2551f9927ccd090a662160c7b7dc8a7b4c084905f9ea2348db6d17d27b20e86cbf4444f4070f4922793eaf8bd9d5e28145fbeb782f90a6f08c4ab69cdfdc64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
c03de569b7438a77feb5343a7c9192d2

SHA1
49a6cd3539920413ea99af878ce546b19862071a

SHA256
0c86ddd826c5a3ee880ea3f1152df9513eb83e1ace6804692af704684b56f131

SHA512
abac073ce926556522955ab37623ffb415c45606783570280fce5e721f36d6d1d1e9d25a99f961b9490011f9bd4389efbecec64b660ee3bcf7265727ceae5eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCEC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y5T1ZTJB.txt

Filesize
95B

MD5
6a86303057d27be2a816178ab147b0d2

SHA1
a4d3b84fb4912f5aaf3dd3b5f289f8bae6865ddd

SHA256
69570a16c5ccddc1f1b10e3d9ff9047f46959c8d9e4a1e233a7c729afe18e195

SHA512
bdc39e8344f8edc23aab0da77627c3ff541b3d4bdb84942c5de32027b9f65639408416da3611accfe7fd0bd7a18b46a7311637a00b4c887da8989e670df7a5f5

Download Submit
\Program Files (x86)\SogouSoftware\SogouSoftwareLoader.dll

Filesize
381KB

MD5
f6f497a13a06c1ea39a9e08a5ade4658

SHA1
ae73159a5693bea824dbd3b14ed7a7be0e75fbbb

SHA256
3fc55301587449323f057f42e950c00fda7dffd71eff977a6e7b512dd2c3ff4a

SHA512
6c2b28ad814529e8d96b556e5639500dbad5a2702bf30c00c83334493a190c01eba0ac659d131150273fb29912235c91eebe106e8e2c926c32db489861554f30

Download Submit
\Users\Admin\AppData\Local\Temp\minidownload.exe

Filesize
1.9MB

MD5
597f9ca8500bec75bb38b4f9f6791ed2

SHA1
7ae4b7ade92bb564773c2375a2320ae80d05d79a

SHA256
1404010700bd37999d7cf75f59b4beb001b6e688cabe5c18eb449485f62ce30e

SHA512
5ed92095910b760065317556f680ee12c71b963ef948ad22ed6dd27a1decdfd13c415481ad2a83b83ff00d56115f886eb4e5fcd82fd59ec351f5b6d30b137a82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads