dc696166a1498d36a7312e72e5624ffc46a7c9dad1928a1fdc370ca4c2a281f9

General

Target

efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe
Size

1.3MB
MD5

efc42e175a538761ca5dd54e75ec728a
SHA1

6935b1d26a5a34207aeb0d885dd4c6837bd754bb
SHA256

dc696166a1498d36a7312e72e5624ffc46a7c9dad1928a1fdc370ca4c2a281f9
SHA512

e23db782548fabfeba888abe663874c41083baddeb5fb3cc672858925abf9c0a9f63eabf2d1ceaa8a37d2b502015cd6b4e10143fe45d5175f70773189a211b63
SSDEEP

24576:85QIzHyuhiDyrPlS4gkwDrp4XAx+hwrywTEdoj:85p6iPYnpqAx+hMywTEdoj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2896	12.exe
340	EntSver.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe
2756	efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	12.exe
File opened for modification	\??\PhysicalDrive0	EntSver.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\EntSver.exe	12.exe
File opened for modification	C:\Windows\EntSver.exe	12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EntSver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	12.exe
Token: SeDebugPrivilege	340	EntSver.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2960	DllHost.exe
340	EntSver.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2896	2756	efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2896	2756	efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2896	2756	efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2896	2756	efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe	31
PID 340 wrote to memory of 1980	340	EntSver.exe	33
PID 340 wrote to memory of 1980	340	EntSver.exe	33
PID 340 wrote to memory of 1980	340	EntSver.exe	33
PID 340 wrote to memory of 1980	340	EntSver.exe	33

C:\Users\Admin\AppData\Local\Temp\efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efc42e175a538761ca5dd54e75ec728a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\12.exe
  "C:\Users\Admin\AppData\Local\Temp\12.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2960

C:\Windows\EntSver.exe
C:\Windows\EntSver.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:340
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
493KB

MD5
bb98d4d382d80bd4795af979362c99d9

SHA1
d61db6edbbfb72a4cc9d9e27717e58df6d26f406

SHA256
13302c94a7764111f6e73219299d01760477062e43a65b29fd9d1b27db1793ff

SHA512
da352dd73247f002050a8da578d21caec1b508057ef8031085d8f60881b0b299e327379a2da0df04157a19e549b8471ea347e327586bf4810570fc8b0f394128

Download Submit
C:\Users\Admin\AppData\Local\Temp\°²È«ÖÐ¹ú.jpg

Filesize
221KB

MD5
f6282ea4de8957d31b9085ce39cf5b8b

SHA1
f5b433cbc682a6eb32c3241da9265571bd582350

SHA256
8feaf8650f8f9bf05136c89fd5ea086e49ea4eb4ab9414cc0242a65733c98c46

SHA512
32c965b3a3fd144026c9a6b1ce82c86b67be3cbf93c1748f924b6a24880c6f6bb6009be3a8fc8767b227e04c3b8cda165603db7c237afd641d95357ef25f3e5a

Download Submit
memory/340-21-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/340-25-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2756-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2756-2-0x0000000003560000-0x0000000003562000-memory.dmp

Filesize
8KB

Download
memory/2756-14-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2896-15-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2896-23-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2960-3-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2960-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2960-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads