3553aa7e83e87919a72e05f8a53768dffec148e7111e28140a18bf12230a3b78

General

Target

fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
Size

1.5MB
MD5

fafa9346ee31a637ba8e51f98c501e95
SHA1

575989e05e18af476ef7ab26d3557118fcc35d84
SHA256

3553aa7e83e87919a72e05f8a53768dffec148e7111e28140a18bf12230a3b78
SHA512

30c71355e3acbf59880efe044254e7e527c964d0cc06d41d7348871e51702a13c386986b6745ec20e92b3017d93cf3e68d2ae15081e896f1d4c3d51d4000ef27
SSDEEP

49152:h/b9j1ab2fxibvDy79yE4T5W9SNvBlF4LP6:BfcLDyBf4T5VSLP6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2964	1.exe
2512	GW.exe
2096	asdew

Loads dropped DLL 5 IoCs

pid	Process
2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
2512	GW.exe
2512	GW.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	GW.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2072-15-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\asdew	1.exe
File opened for modification	C:\Windows\asdew	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asdew
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GW.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	GW.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	GW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	GW.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2512	GW.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	1.exe
Token: SeDebugPrivilege	2096	asdew

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2096	asdew
2512	GW.exe
2512	GW.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2512	GW.exe
2512	GW.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2512	GW.exe
2512	GW.exe
2512	GW.exe
2512	GW.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2512	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2512	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2512	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2512	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2964	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2964	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2964	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2964	2072	fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2704	2096	asdew	33
PID 2096 wrote to memory of 2704	2096	asdew	33
PID 2096 wrote to memory of 2704	2096	asdew	33
PID 2096 wrote to memory of 2704	2096	asdew	33

C:\Users\Admin\AppData\Local\Temp\fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fafa9346ee31a637ba8e51f98c501e95_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\Temp\GW.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\GW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2964

C:\Windows\asdew
C:\Windows\asdew
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\1.exe

Filesize
743KB

MD5
7d153caf9c0130fa952cd36a62623909

SHA1
9f958c4c1d65678d299b161ba782fdfc300fd834

SHA256
04fbdfc6a47e91d5a8a3695754675a334c5ca75eea741559f8cf0db4c09292c6

SHA512
6d2b62252f2513a046ecaa8eb2163aca576998cc54f5d5627e34a534ab1f29b1ae7c911fa57a90d21ce4002146087a01a652421e0ea008c4c542450502609fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\GW.exe

Filesize
1.1MB

MD5
90e46775bc42a8f8bb80778e425c20d2

SHA1
d90b797f146a69f034d69cf059e864a13e0d1c94

SHA256
d03a65abea494e5bc1c909f3586cd9781b81f2f7d84bf934a578c751ff31d4d3

SHA512
a0847d3a9e35cbc8bf1d85d1efa114bc355709fa19b35dd1947a0cf977a7b8025946978a613eb85a4f8958836c570a3e46084aa7a64e15744d7de75aaedacf4b

Download Submit
\Users\Admin\AppData\Local\Temp\win333.nls

Filesize
287KB

MD5
a3344fbc6a9fc1814e2ccf8771180e7d

SHA1
1009f81ed3d9515b8174403094255046439d7fa0

SHA256
7799a4f5504816d45f798e4f7c66d5d3921221f405d85171ce39ec2506f099fe

SHA512
ad2fca26f0c79db461ed0f88f38227cf465737b03efc5140b9366ab8f3f9463c12f69c6f0595fa8fffb9693f810d87cca7114f142b0acb8caed858e2d17c86af

Download Submit
\Users\Admin\AppData\Local\Temp\win342.nls

Filesize
94KB

MD5
c17a46e454298e1ac81114c017748a95

SHA1
1c470d16cf5df3c29132102b6148c756d0568c01

SHA256
e666ea0f1861e2bc367b82297b856b51ba03b7ac1376dc23a86d4115d041d162

SHA512
6ffbc56b640e43ecdf232b22f99c9024102cda261be04a107a8dfabc5326f462d5f0353e5212903837943247faeff7762158636f01ed85f7dbb403eba64593ac

Download Submit
memory/2072-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-16-0x0000000002D50000-0x000000000302E000-memory.dmp

Filesize
2.9MB

Download
memory/2072-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2096-46-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2512-19-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/2512-55-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/2964-20-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2964-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads