fbdf9c85d4c99bbe5eec727a83c28f7c868dc0e9c65e386593d530da48c9ec37

General

Target

fb7214eecb11c99ce6552115da5a7dbe_JaffaCakes118.exe
Size

11.4MB
MD5

fb7214eecb11c99ce6552115da5a7dbe
SHA1

7bc3cb5dde54816da5e54fc8d61ff8c2282384a2
SHA256

fbdf9c85d4c99bbe5eec727a83c28f7c868dc0e9c65e386593d530da48c9ec37
SHA512

1e9f6210d303363c4459c99261c009fe9b9a1d1f3b40b9ca6c9637a3adf62b95c3daa1e1ef20a4620bffc80aeb6c5e759d49c20bfeae99816214fe6b71b2c15d
SSDEEP

196608:UTwx42RPPBdebEm1iWWHc1SUX6apg3ZhncrJPm59vzgO8L1vsqFRUo7t/IbsCTMF:UaRPiGWW8sUtu/Am5q91vsqFRn5AACTI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3316	DFE0.tmp
4512	E109.tmp
1592	E149.tmp
2944	E149.tmp

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	E109.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3796	4512	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E149.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7214eecb11c99ce6552115da5a7dbe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DFE0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E109.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E149.tmp

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\chst	E149.tmp
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\chst	E149.tmp
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\chst	E149.tmp

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SOFTWARE\Microsoft\chst	E149.tmp
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SOFTWARE	E149.tmp
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\SOFTWARE\Microsoft	E149.tmp

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4512	E109.tmp
Token: SeRestorePrivilege	4512	E109.tmp
Token: SeDebugPrivilege	4512	E109.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3316	2976	fb7214eecb11c99ce6552115da5a7dbe_JaffaCakes118.exe	82
PID 2976 wrote to memory of 3316	2976	fb7214eecb11c99ce6552115da5a7dbe_JaffaCakes118.exe	82
PID 2976 wrote to memory of 3316	2976	fb7214eecb11c99ce6552115da5a7dbe_JaffaCakes118.exe	82
PID 3316 wrote to memory of 4512	3316	DFE0.tmp	83
PID 3316 wrote to memory of 4512	3316	DFE0.tmp	83
PID 3316 wrote to memory of 4512	3316	DFE0.tmp	83
PID 3316 wrote to memory of 1592	3316	DFE0.tmp	84
PID 3316 wrote to memory of 1592	3316	DFE0.tmp	84
PID 3316 wrote to memory of 1592	3316	DFE0.tmp	84

C:\Users\Admin\AppData\Local\Temp\fb7214eecb11c99ce6552115da5a7dbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb7214eecb11c99ce6552115da5a7dbe_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\DFE0.tmp
  "C:\Users\Admin\AppData\Local\Temp\DFE0.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\E109.tmp
    "C:\Users\Admin\AppData\Local\Temp\E109.tmp"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 720
      4⤵
      Program crash
      PID:3796
- - C:\Users\Admin\AppData\Local\Temp\E149.tmp
    "C:\Users\Admin\AppData\Local\Temp\E149.tmp" "install"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4512 -ip 4512
1⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\E149.tmp
"C:\Users\Admin\AppData\Local\Temp\E149.tmp" run
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DFE0.tmp

Filesize
11.0MB

MD5
c006fcfc62173e8ac6827a5025f678d3

SHA1
a6a76d1befb4ee790c811f0642a9a12b3b7f0e14

SHA256
bb58c097f36c6e96cf0dafdb4557992f8eb0a2bb1d5c856c35907d20911963f1

SHA512
51489df0509f72f148b9711298efa74aa9ccf3a92afc07e8ece459c259e6fc46cdbb48687c7a16b5aa48a9f934dce1b4de80e17e4cf4a672a684e383e962514a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E109.tmp

Filesize
10.3MB

MD5
0d8eb61ecf3590b0cb0d427db63c6ff6

SHA1
ba3dd549b2ab45dceeabd8764ac2c3089a68c170

SHA256
30263f4dcc098daa7749e1c30112380396becf6450cf7edc2abb5dc4099c42b3

SHA512
246f6dfa7c111da219840172f47057d7924c6dc449c3dac6345cb94c9cbfb5e0e531999a7e14e890b16046055d492a5ce029aedb9d1ceba7e13c08288f3fa179

Download Submit
C:\Users\Admin\AppData\Local\Temp\E149.tmp

Filesize
324KB

MD5
bf9f6045d47dd87ae6d41fc7b5485506

SHA1
462184bdd3c143f70ff7e9553966cb3d63b7cd12

SHA256
f4cc03a26f2d13a41a86da8629b5d5c80a9ea586b6ba044e952b1972ab013440

SHA512
bce57892b7cc2f44dae9eed0113530775f64e16d2846e6f08b10d76b9829e0885a94d816bf84d20ee5751ae3d3c536b6a9e6a75b4f95197d6317b032a839b605

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads