462d7f464400677a6c746363e9b64895442a24dcb8a4b951609dce3aa635a0b9

Reason

Machine shutdown

General

Target

f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
Size

99KB
MD5

f653945662ad61108c61c654f473b4d7
SHA1

f29fc3bbaebcea2752e247b317ca582d51715c9d
SHA256

462d7f464400677a6c746363e9b64895442a24dcb8a4b951609dce3aa635a0b9
SHA512

0842972831a6b9508f870b3a194b9fcfbad3565f533066a193553a4a07d1b1db96493dbbe702b9f75b78f8d0671082d1f59756bdd825283abb921cc491d1f67c
SSDEEP

3072:BixUnJoxphJ7dGz8K5uFd5Y7+CVukbkmJjbux7i9:BixqoxL1HKEFG

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	x2z8.exe

Executes dropped EXE 2 IoCs

pid	Process
2132	x2z8.exe
1932	x2z8.exe

Loads dropped DLL 3 IoCs

pid	Process
2572	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
2572	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
2132	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 2572	2064	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	30
PID 2132 set thread context of 1932	2132	x2z8.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2z8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2z8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1932	x2z8.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2572	2064	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2132	2572	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	31
PID 2572 wrote to memory of 2132	2572	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	31
PID 2572 wrote to memory of 2132	2572	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	31
PID 2572 wrote to memory of 2132	2572	f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe	31
PID 2132 wrote to memory of 1932	2132	x2z8.exe	32
PID 2132 wrote to memory of 1932	2132	x2z8.exe	32
PID 2132 wrote to memory of 1932	2132	x2z8.exe	32
PID 2132 wrote to memory of 1932	2132	x2z8.exe	32
PID 2132 wrote to memory of 1932	2132	x2z8.exe	32
PID 2132 wrote to memory of 1932	2132	x2z8.exe	32

C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      "C:\Users\Admin\AppData\Local\Temp\x2z8.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
84B

MD5
c3632cd9e387cab56bf7e14749ec4329

SHA1
b8af787e436df5ced3f0eb23ebd64719a8abb65f

SHA256
35f5a078950ee6ec2348c4991b5a5ae47661ec6f8daf388d21138d837edcd85f

SHA512
b72bbbbc1365645cb7044cc49d68e1e545b37b816af18bc3d341d13a6551452a3f9ddfe6b2d5ee33d6a3265a8081a2750fb0dd128eda7c72e70ab78c1d1c399e

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
99KB

MD5
f653945662ad61108c61c654f473b4d7

SHA1
f29fc3bbaebcea2752e247b317ca582d51715c9d

SHA256
462d7f464400677a6c746363e9b64895442a24dcb8a4b951609dce3aa635a0b9

SHA512
0842972831a6b9508f870b3a194b9fcfbad3565f533066a193553a4a07d1b1db96493dbbe702b9f75b78f8d0671082d1f59756bdd825283abb921cc491d1f67c

Download Submit
memory/568-29-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1932-28-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/2064-4-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2132-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2572-3-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/2572-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-0-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/2572-6-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/2572-9-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads